Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name: Purchase Order.exe
Analysis ID: 1420020
MD5: 654c1586b15a278983493f57f72cacb7
SHA1: 5b6df8769764505ffdb7691ac2150d4327eb8104
SHA256: 191239a61c70ba900694d294a164f4a162b84d11672871fbb5389967bbf52c7e
Tags: exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: scratchdreams.tk Virustotal: Detection: 6% Perma Link
Source: http://scratchdreams.tk Virustotal: Detection: 6% Perma Link
Source: https://scratchdreams.tk Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: Purchase Order.exe ReversingLabs: Detection: 21%
Source: Purchase Order.exe Virustotal: Detection: 29% Perma Link
Machine Learning detection for sample
Source: Purchase Order.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: EeBu.pdbSHA256 source: Purchase Order.exe
Source: Binary string: EeBu.pdb source: Purchase Order.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 0152FCD1h 4_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 0152EFDDh 4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 0152F967h 4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC8945h 4_2_06CC8608
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC72FAh 4_2_06CC7050
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC6171h 4_2_06CC5EC8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC58C1h 4_2_06CC5618
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC6A21h 4_2_06CC6778
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC0741h 4_2_06CC0498
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC7751h 4_2_06CC74A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC0FF1h 4_2_06CC0D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC8001h 4_2_06CC7D58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC5D19h 4_2_06CC5A70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC6E79h 4_2_06CC6BD0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_06CC33A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_06CC33B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC65C9h 4_2_06CC6320
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC0B99h 4_2_06CC08F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC02E9h 4_2_06CC0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC5441h 4_2_06CC5198
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC8459h 4_2_06CC81B0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 06CC7BA9h 4_2_06CC7900

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49733 -> 208.91.198.143:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View IP Address: 172.67.169.18 172.67.169.18
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49733 -> 208.91.198.143:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003045000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000311B000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003069000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.5:49724 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Purchase Order.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00C2D604 0_2_00C2D604
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D61680 0_2_06D61680
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D63598 0_2_06D63598
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D63588 0_2_06D63588
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D67D0C 0_2_06D67D0C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D61AB8 0_2_06D61AB8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D61248 0_2_06D61248
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06D63160 0_2_06D63160
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_01526168 4_2_01526168
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152C1F0 4_2_0152C1F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152B388 4_2_0152B388
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152C4D0 4_2_0152C4D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_01526790 4_2_01526790
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152C7B2 4_2_0152C7B2
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_015298B8 4_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_01524B31 4_2_01524B31
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152FA10 4_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152CA92 4_2_0152CA92
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152EDF0 4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152BF10 4_2_0152BF10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_015221A8 4_2_015221A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152E310 4_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152E300 4_2_0152E300
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0152B552 4_2_0152B552
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_015235CA 4_2_015235CA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCB6E8 4_2_06CCB6E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCD670 4_2_06CCD670
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC8608 4_2_06CC8608
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC8C5B 4_2_06CC8C5B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCA408 4_2_06CCA408
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCBD38 4_2_06CCBD38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCAA58 4_2_06CCAA58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCC388 4_2_06CCC388
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCB0A0 4_2_06CCB0A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7050 4_2_06CC7050
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCD028 4_2_06CCD028
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCC9D8 4_2_06CCC9D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC11A0 4_2_06CC11A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5EC8 4_2_06CC5EC8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCB6E3 4_2_06CCB6E3
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5EB8 4_2_06CC5EB8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCD66B 4_2_06CCD66B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC560A 4_2_06CC560A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5618 4_2_06CC5618
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC676A 4_2_06CC676A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC6778 4_2_06CC6778
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC3730 4_2_06CC3730
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0488 4_2_06CC0488
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0498 4_2_06CC0498
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7497 4_2_06CC7497
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC74A8 4_2_06CC74A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC4430 4_2_06CC4430
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC85F8 4_2_06CC85F8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0D48 4_2_06CC0D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7D48 4_2_06CC7D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7D58 4_2_06CC7D58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0D39 4_2_06CC0D39
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCBD36 4_2_06CCBD36
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCF2A0 4_2_06CCF2A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCAA4B 4_2_06CCAA4B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5A60 4_2_06CC5A60
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5A70 4_2_06CC5A70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCF273 4_2_06CCF273
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC6BC1 4_2_06CC6BC1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC6BD0 4_2_06CC6BD0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCA3FB 4_2_06CCA3FB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCC386 4_2_06CCC386
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC33A8 4_2_06CC33A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC33B8 4_2_06CC33B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC6312 4_2_06CC6312
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC6320 4_2_06CC6320
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC08E0 4_2_06CC08E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC08F0 4_2_06CC08F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC78F0 4_2_06CC78F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCB09B 4_2_06CCB09B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0040 4_2_06CC0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7040 4_2_06CC7040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC0007 4_2_06CC0007
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC2807 4_2_06CC2807
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC2818 4_2_06CC2818
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCD026 4_2_06CCD026
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCC9D3 4_2_06CCC9D3
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC518A 4_2_06CC518A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC5198 4_2_06CC5198
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC81A0 4_2_06CC81A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC81B0 4_2_06CC81B0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC7900 4_2_06CC7900
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2018087751.0000000006B30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000000.1955472261.00000000002C8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEeBu.exe: vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2013482317.000000000098E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2016001178.000000000275B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4419161581.0000000001278000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4419016890.00000000010F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe Binary or memory string: OriginalFilenameEeBu.exe: vs Purchase Order.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dpapi.dll Jump to behavior
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XxFjHXMucdrtqTOWBP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XxFjHXMucdrtqTOWBP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.50e0000.11.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2735630.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2781750.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.273d648.6.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@4/4
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Mutant created: NULL
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Purchase Order.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Purchase Order.exe, 00000004.00000002.4420689970.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000321F000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4422610576.0000000004019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000322C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Purchase Order.exe ReversingLabs: Detection: 21%
Source: Purchase Order.exe Virustotal: Detection: 29%
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: EeBu.pdbSHA256 source: Purchase Order.exe
Source: Binary string: EeBu.pdb source: Purchase Order.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Purchase Order.exe, FormMainMenu.cs .Net Code: InitializeComponent
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs .Net Code: UwvUwCha1w System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs .Net Code: UwvUwCha1w System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.50c0000.10.raw.unpack, nL.cs .Net Code: sf
Source: 0.2.Purchase Order.exe.50c0000.10.raw.unpack, nL.cs .Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.272447c.1.raw.unpack, nL.cs .Net Code: sf
Source: 0.2.Purchase Order.exe.272447c.1.raw.unpack, nL.cs .Net Code: wb System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Purchase Order.exe Static PE information: 0xD78ABBA7 [Fri Aug 4 02:10:47 2084 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC97E9 push ss; retf 4_2_06CC97EA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC97F8 push ss; retf 4_2_06CC9896
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC8C51 push cs; retf 4_2_06CC8C52
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC9A4B push ss; retf 4_2_06CC9A4E
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CCF0B3 push es; ret 4_2_06CCF0B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_06CC9999 push ss; retf 4_2_06CC999A
Source: Purchase Order.exe Static PE information: section name: .text entropy: 7.904697572590049
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, IaqcXs97WBXJngyOcVe.cs High entropy of concatenated method names: 'zqUrnBUUwQ', 'c71rts6khn', 'Rl1rwjqkdH', 'g1Kr8l0hJy', 'YENrL4bkQr', 'gTjrfyeEGm', 'vlSrAreUqw', 'TKkrMB3ZA9', 'QHArSv78te', 'o6JrV7vJBi'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, ov3QI7o2LQiP9hm7vr.cs High entropy of concatenated method names: 'DB8TBu7QVY', 'qYKTssZqPU', 'Wvw37J4cF0', 'vHK39XMx9m', 'gfeTN67Vra', 'cd4Ty8tO7m', 'x6UTW71aNS', 'bovTi7kfD9', 'sqsT1IuYhl', 'adeThc7uTr'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, Y4XXcdBh2D3Y2wV0x9.cs High entropy of concatenated method names: 'FcP3qN5qNI', 'tob35L1yJK', 'XOv3EXgV7e', 'VmX3DHB5Xn', 'mnU3lVILcU', 'hZT3213GIu', 'ViB3bSfVLe', 'xIP3PJXA73', 'rSl3IoDgaK', 'wEQ36p0DhA'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, ywuF0BhOIyhbeWVMWg.cs High entropy of concatenated method names: 'ToString', 'PxPvNeIakL', 'di1vYXwe9E', 'fuVvXfgBHr', 'GDkvjL3DyL', 'kNVvmrlcR1', 'LstvZEIThp', 'qPIvK9Zu6v', 'qgovp0MT98', 'RjFvdCQVBw'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, KeBha09ksgHQPmF1Kkl.cs High entropy of concatenated method names: 'v4tFnRBgNj', 'Y0oFtLHmhs', 'XrrFwZnqlM', 'NSN0WhtWHn31qfanBre', 'scom7ltCgRTvQT19IkL', 'wuMVDotbw5CpJUKOKEG', 'pKQc2UtcJYXTBZZTYpr'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, I5pNCkiWrBKvjFFeIg.cs High entropy of concatenated method names: 'bBZgG5oCOL', 'wdFgyRWuEd', 'qPjgi4Vl6A', 'UICg1bWIlo', 'yUNgY5i5E3', 'zZIgXaVPoe', 'AnIgjPpsMw', 'z1qgmsgrW0', 'ghcgZWYKs9', 'nASgK1nWjy'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, yvFojtKGVoQZfW7OCQ.cs High entropy of concatenated method names: 'NDl2qJYvaW', 'E7p2EMHpSG', 'rEZ2lPSkVP', 'WRRls1qJs6', 'bcWlzqxoxg', 'S7527QPEvF', 'Ig729ycXku', 'Sb42kVWksg', 'TqU2QVslFC', 'SZT2Ut2cLm'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, dwatSuHMe1qQvliJey.cs High entropy of concatenated method names: 'o6qlJCYC05', 'J3ml5Fs92h', 'VTXlDkJeAT', 'UECl2SYdS3', 'ltalbQ6Jcj', 'FtqDCWTmTn', 'eOiDoN1R2j', 'IPNDuppopc', 'pBWDBrsfa0', 'iRaDOhY5Rn'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, VolHSssxIRWE0AycLQ.cs High entropy of concatenated method names: 'RJ5r9IC07i', 'b7ZrQqdTt9', 'C6trUSsnFJ', 'nfIrq4XwJq', 'hbZr5s0PsC', 'OyRrDNQDZG', 'WUhrlNYeU2', 'Nyy3u9JwhX', 'dMv3BCgvlo', 'IUh3O9Ra48'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, YwUR0vWdBmCNu00DFo.cs High entropy of concatenated method names: 'beV4MAgDPu', 'OyA4S0KfpZ', 'zRI4Hocl7M', 'NZH4YbcQgw', 'T2W4jqQfdw', 'XSw4m9qabx', 'eaN4KdrMo1', 'VM04pReKCq', 'qSF4GJGHR0', 'BpS4NElP8p'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, aOOOxadFB9Bng1Fk99.cs High entropy of concatenated method names: 'xP72nkJCYZ', 'kuH2tYiVjD', 'Aac2war4CM', 'yan28KtEqd', 'vE52LFsWid', 'QZk2fgFGtx', 'pI62A6WFTo', 'uoK2MijTYX', 'Brm2S5VSbP', 'V6m2VXkeNQ'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XxFjHXMucdrtqTOWBP.cs High entropy of concatenated method names: 'r6V5i8uMtC', 'FNU51Gf7Qc', 'Hyt5hs8p2m', 'zVx5e4byt7', 'OA15Cqs50d', 'o385o61ALa', 'GKL5uqdONB', 'nWw5BSI9vL', 't1u5OkNGOM', 'TOi5sfCh2x'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, sMWB1oOcSfDcEGsrEo.cs High entropy of concatenated method names: 'RaL3HypbgQ', 'l5P3YQiR9Z', 'cWb3XSYgle', 'm5m3jZCHEL', 'YOk3irS244', 'pB13mw13Cx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XtyULeSecluK2WEKkB.cs High entropy of concatenated method names: 'F4OE8shA3S', 'JYsEfw9fsy', 'wnDEMBME2M', 'MOcESJSlHK', 'KobEgBePNa', 'VK3EvMqSM5', 'PV4ET5ubXT', 'IgHE3PkTkI', 'CSLErGMV6U', 'APOEFYlhEk'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, FOrW3W5UUNYhKWNjPf.cs High entropy of concatenated method names: 'Dispose', 'SoG9OgMiJh', 'E2fkY0Au3I', 'aLeUURJX9e', 'xs49sXXcdh', 'jD39zY2wV0', 'ProcessDialogKey', 'v9Fk7MWB1o', 'uSfk9DcEGs', 'rEokkoolHS'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, u1ytKukRLLd4g2nvo4.cs High entropy of concatenated method names: 'nBpwbIIod', 'oHr8ZbU5Y', 'DLqfbmTY2', 'd7CATYFVY', 'XFUSaquiO', 'oO1V4CNPW', 'e0g8jGTqydhN100I9S', 'EVXN6ud1Gs7T9aoLMw', 'UHP3ISZfR', 'MMHFf6CEZ'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, BihELb9QnKSKCOgd75n.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VyqFipqdSc', 'AgNF14XJs5', 'wh1FhuE0IP', 'BbZFeFOqOk', 'frsFCf3tPj', 'TPfFofFtpH', 'WbQFuNhQoX'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs High entropy of concatenated method names: 'y6mQJDmITU', 'uHCQq6qZUY', 'f82Q5EMCwH', 'HFpQEq96TP', 'FoNQD8WPLN', 'IfRQlbImO6', 'LZEQ2pyCiG', 'q3AQba9E66', 'EN1QPk5ZVd', 'pBbQIehPAq'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, sbL4qKV2G32ksHUvGX.cs High entropy of concatenated method names: 'RixDLGKKZw', 'o00DAb2kVT', 'oJtEXJGXo8', 'BhREjmV1c8', 'yf7EmjWpH1', 'S9MEZgvtOc', 'qO1EKXCHhG', 'DnAEpm48jH', 'tLaEdlF00Q', 'qsiEGwFXnq'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, Vs3SJqUNwpqIpO9ISn.cs High entropy of concatenated method names: 'ARB92xFjHX', 'Wcd9brtqTO', 'Tec9IluK2W', 'gKk96BFbL4', 'GUv9gGXQwa', 'zSu9vMe1qQ', 'Ov7D2El9bDMG2mVM1h', 'mCBmNTncR8cdd9efA9', 'S5w99BZoaR', 'o2a9QGtnEr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, IaqcXs97WBXJngyOcVe.cs High entropy of concatenated method names: 'zqUrnBUUwQ', 'c71rts6khn', 'Rl1rwjqkdH', 'g1Kr8l0hJy', 'YENrL4bkQr', 'gTjrfyeEGm', 'vlSrAreUqw', 'TKkrMB3ZA9', 'QHArSv78te', 'o6JrV7vJBi'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, ov3QI7o2LQiP9hm7vr.cs High entropy of concatenated method names: 'DB8TBu7QVY', 'qYKTssZqPU', 'Wvw37J4cF0', 'vHK39XMx9m', 'gfeTN67Vra', 'cd4Ty8tO7m', 'x6UTW71aNS', 'bovTi7kfD9', 'sqsT1IuYhl', 'adeThc7uTr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, Y4XXcdBh2D3Y2wV0x9.cs High entropy of concatenated method names: 'FcP3qN5qNI', 'tob35L1yJK', 'XOv3EXgV7e', 'VmX3DHB5Xn', 'mnU3lVILcU', 'hZT3213GIu', 'ViB3bSfVLe', 'xIP3PJXA73', 'rSl3IoDgaK', 'wEQ36p0DhA'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, ywuF0BhOIyhbeWVMWg.cs High entropy of concatenated method names: 'ToString', 'PxPvNeIakL', 'di1vYXwe9E', 'fuVvXfgBHr', 'GDkvjL3DyL', 'kNVvmrlcR1', 'LstvZEIThp', 'qPIvK9Zu6v', 'qgovp0MT98', 'RjFvdCQVBw'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, KeBha09ksgHQPmF1Kkl.cs High entropy of concatenated method names: 'v4tFnRBgNj', 'Y0oFtLHmhs', 'XrrFwZnqlM', 'NSN0WhtWHn31qfanBre', 'scom7ltCgRTvQT19IkL', 'wuMVDotbw5CpJUKOKEG', 'pKQc2UtcJYXTBZZTYpr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, I5pNCkiWrBKvjFFeIg.cs High entropy of concatenated method names: 'bBZgG5oCOL', 'wdFgyRWuEd', 'qPjgi4Vl6A', 'UICg1bWIlo', 'yUNgY5i5E3', 'zZIgXaVPoe', 'AnIgjPpsMw', 'z1qgmsgrW0', 'ghcgZWYKs9', 'nASgK1nWjy'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, yvFojtKGVoQZfW7OCQ.cs High entropy of concatenated method names: 'NDl2qJYvaW', 'E7p2EMHpSG', 'rEZ2lPSkVP', 'WRRls1qJs6', 'bcWlzqxoxg', 'S7527QPEvF', 'Ig729ycXku', 'Sb42kVWksg', 'TqU2QVslFC', 'SZT2Ut2cLm'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, dwatSuHMe1qQvliJey.cs High entropy of concatenated method names: 'o6qlJCYC05', 'J3ml5Fs92h', 'VTXlDkJeAT', 'UECl2SYdS3', 'ltalbQ6Jcj', 'FtqDCWTmTn', 'eOiDoN1R2j', 'IPNDuppopc', 'pBWDBrsfa0', 'iRaDOhY5Rn'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, VolHSssxIRWE0AycLQ.cs High entropy of concatenated method names: 'RJ5r9IC07i', 'b7ZrQqdTt9', 'C6trUSsnFJ', 'nfIrq4XwJq', 'hbZr5s0PsC', 'OyRrDNQDZG', 'WUhrlNYeU2', 'Nyy3u9JwhX', 'dMv3BCgvlo', 'IUh3O9Ra48'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, YwUR0vWdBmCNu00DFo.cs High entropy of concatenated method names: 'beV4MAgDPu', 'OyA4S0KfpZ', 'zRI4Hocl7M', 'NZH4YbcQgw', 'T2W4jqQfdw', 'XSw4m9qabx', 'eaN4KdrMo1', 'VM04pReKCq', 'qSF4GJGHR0', 'BpS4NElP8p'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, aOOOxadFB9Bng1Fk99.cs High entropy of concatenated method names: 'xP72nkJCYZ', 'kuH2tYiVjD', 'Aac2war4CM', 'yan28KtEqd', 'vE52LFsWid', 'QZk2fgFGtx', 'pI62A6WFTo', 'uoK2MijTYX', 'Brm2S5VSbP', 'V6m2VXkeNQ'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XxFjHXMucdrtqTOWBP.cs High entropy of concatenated method names: 'r6V5i8uMtC', 'FNU51Gf7Qc', 'Hyt5hs8p2m', 'zVx5e4byt7', 'OA15Cqs50d', 'o385o61ALa', 'GKL5uqdONB', 'nWw5BSI9vL', 't1u5OkNGOM', 'TOi5sfCh2x'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, sMWB1oOcSfDcEGsrEo.cs High entropy of concatenated method names: 'RaL3HypbgQ', 'l5P3YQiR9Z', 'cWb3XSYgle', 'm5m3jZCHEL', 'YOk3irS244', 'pB13mw13Cx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XtyULeSecluK2WEKkB.cs High entropy of concatenated method names: 'F4OE8shA3S', 'JYsEfw9fsy', 'wnDEMBME2M', 'MOcESJSlHK', 'KobEgBePNa', 'VK3EvMqSM5', 'PV4ET5ubXT', 'IgHE3PkTkI', 'CSLErGMV6U', 'APOEFYlhEk'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, FOrW3W5UUNYhKWNjPf.cs High entropy of concatenated method names: 'Dispose', 'SoG9OgMiJh', 'E2fkY0Au3I', 'aLeUURJX9e', 'xs49sXXcdh', 'jD39zY2wV0', 'ProcessDialogKey', 'v9Fk7MWB1o', 'uSfk9DcEGs', 'rEokkoolHS'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, u1ytKukRLLd4g2nvo4.cs High entropy of concatenated method names: 'nBpwbIIod', 'oHr8ZbU5Y', 'DLqfbmTY2', 'd7CATYFVY', 'XFUSaquiO', 'oO1V4CNPW', 'e0g8jGTqydhN100I9S', 'EVXN6ud1Gs7T9aoLMw', 'UHP3ISZfR', 'MMHFf6CEZ'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, BihELb9QnKSKCOgd75n.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VyqFipqdSc', 'AgNF14XJs5', 'wh1FhuE0IP', 'BbZFeFOqOk', 'frsFCf3tPj', 'TPfFofFtpH', 'WbQFuNhQoX'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs High entropy of concatenated method names: 'y6mQJDmITU', 'uHCQq6qZUY', 'f82Q5EMCwH', 'HFpQEq96TP', 'FoNQD8WPLN', 'IfRQlbImO6', 'LZEQ2pyCiG', 'q3AQba9E66', 'EN1QPk5ZVd', 'pBbQIehPAq'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, sbL4qKV2G32ksHUvGX.cs High entropy of concatenated method names: 'RixDLGKKZw', 'o00DAb2kVT', 'oJtEXJGXo8', 'BhREjmV1c8', 'yf7EmjWpH1', 'S9MEZgvtOc', 'qO1EKXCHhG', 'DnAEpm48jH', 'tLaEdlF00Q', 'qsiEGwFXnq'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, Vs3SJqUNwpqIpO9ISn.cs High entropy of concatenated method names: 'ARB92xFjHX', 'Wcd9brtqTO', 'Tec9IluK2W', 'gKk96BFbL4', 'GUv9gGXQwa', 'zSu9vMe1qQ', 'Ov7D2El9bDMG2mVM1h', 'mCBmNTncR8cdd9efA9', 'S5w99BZoaR', 'o2a9QGtnEr'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Purchase Order.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 2700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 73E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 6BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 84E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 94E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 1520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 4F90000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598729 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598293 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597609 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597500 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597391 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595135 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594469 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 8513 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 1337 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 180 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5884 Thread sleep count: 8513 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5884 Thread sleep count: 1337 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598729s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -598063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -596047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595135s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -594813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -594688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796 Thread sleep time: -594469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598729 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598293 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597609 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597500 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597391 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597172 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595135 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594469 Jump to behavior
Source: Purchase Order.exe, 00000004.00000002.4419161581.00000000012A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Purchase Order.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order.exe Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420020 Sample: Purchase Order.exe Startdate: 04/04/2024 Architecture: WINDOWS Score: 100 16 checkip.dyndns.org 2->16 18 us2.smtp.mailhostbox.com 2->18 20 3 other IPs or domains 2->20 28 Multi AV Scanner detection for domain / URL 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 8 other signatures 2->34 7 Purchase Order.exe 3 2->7         started        signatures3 process4 signatures5 36 Injects a PE file into a foreign processes 7->36 10 Purchase Order.exe 15 2 7->10         started        14 Purchase Order.exe 7->14         started        process6 dnsIp7 22 checkip.dyndns.com 132.226.247.73, 49709, 49712, 49714 UTMEMUS United States 10->22 24 us2.smtp.mailhostbox.com 208.91.198.143, 49733, 587 PUBLIC-DOMAIN-REGISTRYUS United States 10->24 26 2 other IPs or domains 10->26 38 Tries to steal Mail credentials (via file / registry access) 10->38 40 Tries to harvest and steal browser information (history, passwords, etc) 10->40 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
104.21.67.152
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
172.67.169.18
 scratchdreams.tk United States
13335 CLOUDFLARENETUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true
reallyfreegeoip.org 104.21.67.152 true
scratchdreams.tk 172.67.169.18 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
https://scratchdreams.tk/_send_.php?TS false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://reallyfreegeoip.org/xml/102.129.152.231 false
  • Avira URL Cloud: safe
 unknown