Windows Analysis Report Purchase Order.exe

Uses insecure TLS / SSL version for HTTPS connection

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152FCD1h	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152EFDDh	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152F967h	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E943
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152EB23
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98945h	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90FF1h	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98001h	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97751h	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90741h	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96A21h	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96171h	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A958C1h	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98459h	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95441h	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97BA9h	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90B99h	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A902E9h	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A972FAh	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96E79h	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A965C9h	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95D19h	8_2_05A95A70

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000300D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000008.00000002.3811063229.0000000006750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cJ
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_0239E014	3_2_0239E014
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E4	3_2_069063E4
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E8	3_2_069063E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908300	3_2_06908300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EB8	3_2_06907EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EC8	3_2_06907EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01526168	8_2_01526168
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C1F0	8_2_0152C1F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B388	8_2_0152B388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C4D0	8_2_0152C4D0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C7B2	8_2_0152C7B2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015268E0	8_2_015268E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01524B31	8_2_01524B31
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152FA10	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152CA92	8_2_0152CA92
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152EDF0	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BC32	8_2_0152BC32
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BF10	8_2_0152BF10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015221A8	8_2_015221A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E310	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E300	8_2_0152E300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B552	8_2_0152B552
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD38	8_2_05A9BD38
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A408	8_2_05A9A408
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6E8	8_2_05A9B6E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98608	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D670	8_2_05A9D670
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9D8	8_2_05A9C9D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B0A0	8_2_05A9B0A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D028	8_2_05A9D028
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C388	8_2_05A9C388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98B58	8_2_05A98B58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA58	8_2_05A9AA58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A985F8	8_2_05A985F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD28	8_2_05A9BD28
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D39	8_2_05A90D39
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D48	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D48	8_2_05A97D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D58	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A974A8	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90488	8_2_05A90488
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90498	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97497	8_2_05A97497
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A94430	8_2_05A94430
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A93730	8_2_05A93730
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96768	8_2_05A96768
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96778	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EB8	8_2_05A95EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EC8	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6D8	8_2_05A9B6D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9560B	8_2_05A9560B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95618	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D661	8_2_05A9D661
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A911A0	8_2_05A911A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981A0	8_2_05A981A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981B0	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9518B	8_2_05A9518B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95198	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9C8	8_2_05A9C9C8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97900	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A928B0	8_2_05A928B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B090	8_2_05A9B090
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908E0	8_2_05A908E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908F0	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A978F0	8_2_05A978F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92809	8_2_05A92809
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92807	8_2_05A92807
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90006	8_2_05A90006
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D018	8_2_05A9D018
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90040	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97040	8_2_05A97040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97050	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933A8	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933B8	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A3FA	8_2_05A9A3FA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BC1	8_2_05A96BC1
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BD0	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96320	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96313	8_2_05A96313
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C378	8_2_05A9C378
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F2A0	8_2_05A9F2A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F237	8_2_05A9F237
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A60	8_2_05A95A60
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A70	8_2_05A95A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA4F	8_2_05A9AA4F

Sample file is different than original file name gathered from version info

Source: Purchase Order.exe, 00000003.00000000.1343161103.000000000020E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1415784664.0000000008380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1411062432.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1412901774.000000000253F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800522199.0000000000F87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 3.2.Purchase Order.exe.25671d8.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25213f8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25193e0.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Source: C:\Users\user\Desktop\Purchase Order.exe

Mutant created: NULL

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Purchase Order.exe, 00000008.00000002.3809824015.0000000003FE1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order.exe	ReversingLabs: Detection: 31%
Source: Purchase Order.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains potential unpacker

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Data Obfuscation

Source: Purchase Order.exe, frmRestaurante.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908E92 push E8FFFFFFh; iretd		3_2_06908E9D
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01529770 push esp; ret		8_2_01529771

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.98179362017261

Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 7675			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 2138			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 7675 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 2138 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596377s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592266s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010F6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.199.225	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
us2.smtp.mailhostbox.com	208.91.199.225	true
reallyfreegeoip.org	172.67.177.134	true
scratchdreams.tk	104.21.27.85	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

AV Detection

Source: Purchase Order.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	ReversingLabs: Detection: 31%
Source: Purchase Order.exe	Virustotal: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152FCD1h	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152EFDDh	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152F967h	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E943
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152EB23
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98945h	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90FF1h	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98001h	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97751h	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90741h	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96A21h	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96171h	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A958C1h	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98459h	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95441h	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97BA9h	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90B99h	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A902E9h	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A972FAh	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96E79h	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A965C9h	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95D19h	8_2_05A95A70

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000300D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000008.00000002.3811063229.0000000006750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cJ
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_0239E014	3_2_0239E014
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E4	3_2_069063E4
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E8	3_2_069063E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908300	3_2_06908300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EB8	3_2_06907EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EC8	3_2_06907EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01526168	8_2_01526168
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C1F0	8_2_0152C1F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B388	8_2_0152B388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C4D0	8_2_0152C4D0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C7B2	8_2_0152C7B2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015268E0	8_2_015268E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01524B31	8_2_01524B31
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152FA10	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152CA92	8_2_0152CA92
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152EDF0	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BC32	8_2_0152BC32
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BF10	8_2_0152BF10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015221A8	8_2_015221A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E310	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E300	8_2_0152E300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B552	8_2_0152B552
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD38	8_2_05A9BD38
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A408	8_2_05A9A408
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6E8	8_2_05A9B6E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98608	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D670	8_2_05A9D670
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9D8	8_2_05A9C9D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B0A0	8_2_05A9B0A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D028	8_2_05A9D028
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C388	8_2_05A9C388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98B58	8_2_05A98B58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA58	8_2_05A9AA58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A985F8	8_2_05A985F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD28	8_2_05A9BD28
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D39	8_2_05A90D39
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D48	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D48	8_2_05A97D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D58	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A974A8	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90488	8_2_05A90488
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90498	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97497	8_2_05A97497
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A94430	8_2_05A94430
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A93730	8_2_05A93730
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96768	8_2_05A96768
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96778	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EB8	8_2_05A95EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EC8	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6D8	8_2_05A9B6D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9560B	8_2_05A9560B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95618	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D661	8_2_05A9D661
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A911A0	8_2_05A911A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981A0	8_2_05A981A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981B0	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9518B	8_2_05A9518B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95198	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9C8	8_2_05A9C9C8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97900	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A928B0	8_2_05A928B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B090	8_2_05A9B090
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908E0	8_2_05A908E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908F0	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A978F0	8_2_05A978F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92809	8_2_05A92809
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92807	8_2_05A92807
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90006	8_2_05A90006
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D018	8_2_05A9D018
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90040	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97040	8_2_05A97040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97050	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933A8	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933B8	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A3FA	8_2_05A9A3FA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BC1	8_2_05A96BC1
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BD0	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96320	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96313	8_2_05A96313
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C378	8_2_05A9C378
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F2A0	8_2_05A9F2A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F237	8_2_05A9F237
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A60	8_2_05A95A60
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A70	8_2_05A95A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA4F	8_2_05A9AA4F

Sample file is different than original file name gathered from version info

Source: Purchase Order.exe, 00000003.00000000.1343161103.000000000020E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1415784664.0000000008380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1411062432.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1412901774.000000000253F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800522199.0000000000F87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 3.2.Purchase Order.exe.25671d8.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25213f8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25193e0.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Source: C:\Users\user\Desktop\Purchase Order.exe

Mutant created: NULL

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Purchase Order.exe	ReversingLabs: Detection: 31%
Source: Purchase Order.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

.NET source code contains potential unpacker

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Data Obfuscation

Source: Purchase Order.exe, frmRestaurante.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908E92 push E8FFFFFFh; iretd		3_2_06908E9D
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01529770 push esp; ret		8_2_01529771

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.98179362017261

Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 7675			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 2138			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 7675 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 2138 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596377s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592266s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010F6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Order.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Remote Access Functionality