Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name: Purchase Order.exe
Analysis ID: 1420781
MD5: 25a46527b42b425083fe4778768f2073
SHA1: 837219cc634a58cb7c10be9a5d6759562eb8d3f3
SHA256: 190504e991bb8bb608cf87db9ee7c7549999a17970251490ce85282f85cb49aa
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: https://scratchdreams.tk Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: Purchase Order.exe ReversingLabs: Detection: 28%
Source: Purchase Order.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for sample
Source: Purchase Order.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\Desktop\Purchase Order.PDB source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: n.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ydwx.pdbSHA256 source: Purchase Order.exe
Source: Binary string: System.Configuration.pdb8S source: WER9980.tmp.dmp.6.dr
Source: Binary string: ydwx.pdbs\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbM source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\exe\ydwx.pdbum source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: nDC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb-m source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbmm source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\ydwx.pdbdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\exe\ydwx.pdbH source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: nC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp, WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ydwx.pdbon source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: ydwx.pdb source: Purchase Order.exe
Source: Binary string: symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe String found in binary or memory: http://tempuri.org/DataSet1.xsdCEscolha
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00EADE0C 0_2_00EADE0C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F147F0 0_2_06F147F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F147E2 0_2_06F147E2
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F130E8 0_2_06F130E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F130D9 0_2_06F130D9
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F15060 0_2_06F15060
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F10006 0_2_06F10006
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F12CB0 0_2_06F12CB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F14C28 0_2_06F14C28
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F14C1A 0_2_06F14C1A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F19D6C 0_2_06F19D6C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 3_2_016235CA 3_2_016235CA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 3_2_016221B4 3_2_016221B4
One or more processes crash
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000000.00000002.2036617671.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2035028579.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000000.1975610638.00000000005D6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameydwx.exeR vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2038406598.0000000006E80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe Binary or memory string: OriginalFilenameydwx.exeR vs Purchase Order.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: fwpuclnt.dll Jump to behavior
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, NGtW9mR6Cee8uYqSK0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, NGtW9mR6Cee8uYqSK0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.5230000.11.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2ab632c.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2b02944.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2abe344.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/6@1/1
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f2dbadf2-782e-4c54-a631-1e82bb95e774 Jump to behavior
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Purchase Order.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Purchase Order.exe ReversingLabs: Detection: 28%
Source: Purchase Order.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\Purchase Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Purchase Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\Desktop\Purchase Order.PDB source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: n.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ydwx.pdbSHA256 source: Purchase Order.exe
Source: Binary string: System.Configuration.pdb8S source: WER9980.tmp.dmp.6.dr
Source: Binary string: ydwx.pdbs\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbM source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\exe\ydwx.pdbum source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: nDC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb-m source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbmm source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Users\user\Desktop\ydwx.pdbdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\symbols\exe\ydwx.pdbH source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: nC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp, WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ydwx.pdbon source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: ydwx.pdb source: Purchase Order.exe
Source: Binary string: symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER9980.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Purchase Order.exe, Form1.cs .Net Code: InitializeComponent
Source: 0.2.Purchase Order.exe.5060000.10.raw.unpack, nL.cs .Net Code: sf
Source: 0.2.Purchase Order.exe.5060000.10.raw.unpack, nL.cs .Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.2aa4e90.6.raw.unpack, nL.cs .Net Code: sf
Source: 0.2.Purchase Order.exe.2aa4e90.6.raw.unpack, nL.cs .Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs .Net Code: eSHBZKoPfD System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs .Net Code: eSHBZKoPfD System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00EA5DCB pushad ; iretd 0_2_00EA5DD9
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_06F17C22 push es; retf 0_2_06F17C24
Source: Purchase Order.exe Static PE information: section name: .text entropy: 7.939183932107505
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, NGtW9mR6Cee8uYqSK0.cs High entropy of concatenated method names: 'fbXp4Gnw3s', 'bTIpX3VQcW', 'niUpRjoXv7', 'a9RpQlQiRj', 'pCQpGbEl8t', 'wKKpnTR70y', 'UvPpVc5VQX', 'cfLpCKfhbj', 'XxBpxXERkY', 'Wp5phDbj4d'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, uoIBHmFPkhUFQerbYn.cs High entropy of concatenated method names: 'IPvl1OSdbU', 'iv6lAul8sA', 'S5LlrTwXBu', 'V7Ylev95Iv', 'zJllgLV9CA', 'Y1alJuhpQh', 'Qh8l00KHLF', 'idElN1XpTc', 'lFQlPjK4FR', 'CTZlWrKB1b'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, E1vSHmxrHlqTsNUgxd.cs High entropy of concatenated method names: 'khju8BZm6S', 'QDoupOsxpD', 'neju5gp4nw', 'mVwuDXOurx', 'AP2ucO5ww1', 'GRguK3OTqw', 'WZyudkoDPA', 'r3Yuf2oba9', 'eiIu3tj5To', 'D0wuLrFvON'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, bmPJCkvxRZ0biGsWep.cs High entropy of concatenated method names: 'CQF5ifFu1O', 'z1r5yTMuSr', 'Jne51G5GsZ', 'qDN5ACnGkE', 'aXa5m4YkqD', 'UIB5SWmRtN', 'kLQ5M8EbIt', 'zk65uthTdn', 'GMd59IoVYH', 'j8k5UAK3FE'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, N6InL94UlvEinA1O1jx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yj0U49BKSv', 'v5mUXYyE53', 'aElURRs8GJ', 'BC9UQENkDm', 'EdaUGmhS1w', 'EaLUnDRZLG', 'IVZUVw9SZ8'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, KC1wtZamGsktrMxJHS.cs High entropy of concatenated method names: 'pn0K8bJKEB', 'EOBK5pPI7d', 'k2bKcpf5mt', 'YbTchGcGyZ', 'h3BczNr3Nu', 'UowKqlDMtE', 'QEOKjqCArh', 'kMtK75PnCB', 'PLAKFTZj3s', 'GBvKBcLiEU'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, YHZGZmtud5qs1b81Hm.cs High entropy of concatenated method names: 'DTgcHSREws', 'bsNcbntoRV', 'WPqcZCDTS8', 'eB2ciple79', 'PNmcy64RGO', 'SrxcwpRAfn', 'VshcAZXE3r', 'lLtcEBS4PY', 'AW7BNL5uqdj42FSS8YN', 'LRJGFm5e0101PufXTiB'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, xp0TTnCEDMiZTN5mCF.cs High entropy of concatenated method names: 'y7Q9jNlevm', 'CGe9FYJXIj', 'XaN9BGOJce', 'OWo9892RjW', 'BDK9pq19Ko', 'tNk9DrqBs7', 'cBk9cpg81D', 'SsnuVfEPXK', 'hUhuCEW7dP', 'EZruxC86D9'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, Dm2Aa1KN8NCRa2S116.cs High entropy of concatenated method names: 'DqWmPgEVvI', 'JFFmTD6Gqt', 'stwm4tJnlB', 'TuvmXMIf2F', 'JGbmergLkt', 'GommtF6Qi6', 'JvOmgoqAOL', 'd1omJ8cZG2', 'v4CmaBHbeY', 'P0Am08FLAx'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, QrapHu4bTYdeWhiBv34.cs High entropy of concatenated method names: 'MtL9bmEOyB', 'rYN9sVySMn', 'vu59ZQGavL', 'wIH9ijo2Zk', 'hv09Is9hsE', 'NM89yt9heb', 'wOh9w5ZT61', 'QgK91IctX3', 'fVm9AZ8bQt', 'O229Ej1HuM'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, A6MLiKBRyMujdf4xuU.cs High entropy of concatenated method names: 'fZWjKlvPpC', 'qSkjdKtY9I', 'eX7j3Xgyf6', 'wmdjLK0VKJ', 'EvWjmNeVey', 'J5wjSxR61i', 'YpkW6iFQGX7lA4bpU7', 'hSc09BxJuG4rW8LpYM', 'RUBjj8mj5e', 'iALjF00D7I'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, ddU9BNIepTqiYiDSNe.cs High entropy of concatenated method names: 'ToString', 'RgsSWurqnc', 'n0ZSeww0Ls', 'FPEStuSK6a', 'CcSSgCT38J', 'EVqSJjRUgb', 'B7bSalfqZ0', 'N7cS0xB4sq', 'mDASN606bI', 'QsrS6L6rCW'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs High entropy of concatenated method names: 'MCpF2gwF2Y', 'QMFF83KnJV', 'OcxFp9x8lF', 'C9iF5RrC5r', 'WjoFDckhNi', 'ovlFc68W9Z', 'xr6FK2qnmD', 'k9XFdwKR7s', 'zyuFfnlxlU', 'RiTF3qyEGj'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, M0VWMlW1XLOoXZdsFT.cs High entropy of concatenated method names: 'LlLM3LIay6', 'IeWMLxlH4M', 'ToString', 'YOnM8OKuFH', 'KXoMpZFTJN', 'cVfM5cmakJ', 'm7lMDD4ifU', 'sbnMc3QUNv', 'unWMK4hXTS', 'CGMMdaD4Ky'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, yHJiJiM1egwcK8Tpms.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gel7xVHfat', 'frb7h5Advd', 'NcZ7zGW2qY', 'nkeFqlu1XR', 'pA3Fj3U7ke', 'UHHF7Ccixp', 'QMHFFM3s6b', 'En9uIYKcHWU07GO99rk'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, OjtXevgflriv064PBT.cs High entropy of concatenated method names: 'tPZMC3O3kO', 'iXuMhrH52F', 'mfXuqnUD1d', 'mYHuj5empF', 'faJMWBPhxG', 'fLaMThJy9E', 'PdiMvm2o04', 'Hv3M4LbtKk', 'QbgMXtoM7Z', 'OErMReRsvY'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, N98lf8z4IoKp8QYGYE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ueM9lq2ERr', 'Wnl9mFZwyT', 'Lqy9SiMUqR', 'TZ09MAwOjM', 'I4o9ut758p', 'F4V99DWYFC', 'CGv9U4rwfP'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, w5I2yQcLxXelSwIFPi.cs High entropy of concatenated method names: 'Dispose', 'gPxjxhEliC', 'Ft87eEtsyT', 'vM1OOMEmqN', 'D3hjhAK1OW', 'Umojz1CJPs', 'ProcessDialogKey', 'zpt7qprMtj', 'NjZ7jHvBy1', 'H1e774lvat'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, IalQVsoXW2uguJbXwL.cs High entropy of concatenated method names: 'UfoZNYu9T', 'LmYiIHLoh', 'EX9y4SqrO', 'xr1wfaOWF', 'BuTANytUO', 'Sx2EMARek', 'UevhZGJSnCMPgTlwcy', 'gwrG7uk1RM5IhjM7Mw', 'lkEuZPa5j', 'FG8Ullk38'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, zm8M94O2ty4UIhePqx.cs High entropy of concatenated method names: 'prKKbYLagH', 'fc7KsNvH8V', 'xRZKZLUm2t', 'nxOKiO2eEr', 'uH8KIjPl0P', 'FNJKyJt4Ea', 'NuPKwXXeH4', 'y1yK1xsKJp', 'SYEKASAAUn', 'TWcKE8kZGM'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, itB6mEiuYAhrSJUq77.cs High entropy of concatenated method names: 'WVYurkZDfk', 'kZEueuEPeT', 'iQ3utGpMgM', 'coHugOmDF2', 'ODPu4ZAJmf', 'HfeuJGgpE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, cqZD1FH9amU9k1wEc9.cs High entropy of concatenated method names: 'YyNc2Zm8PF', 'l2KcpOuMZE', 'UwOcDg7ZQV', 'HnycK4dOti', 'XUpcdfgAEa', 'A6eDGhDvtV', 'kNbDnFaP9F', 'dFWDVOvPEu', 'OrqDCPREJ8', 'RFkDx4nTVe'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, NGtW9mR6Cee8uYqSK0.cs High entropy of concatenated method names: 'fbXp4Gnw3s', 'bTIpX3VQcW', 'niUpRjoXv7', 'a9RpQlQiRj', 'pCQpGbEl8t', 'wKKpnTR70y', 'UvPpVc5VQX', 'cfLpCKfhbj', 'XxBpxXERkY', 'Wp5phDbj4d'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, uoIBHmFPkhUFQerbYn.cs High entropy of concatenated method names: 'IPvl1OSdbU', 'iv6lAul8sA', 'S5LlrTwXBu', 'V7Ylev95Iv', 'zJllgLV9CA', 'Y1alJuhpQh', 'Qh8l00KHLF', 'idElN1XpTc', 'lFQlPjK4FR', 'CTZlWrKB1b'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, E1vSHmxrHlqTsNUgxd.cs High entropy of concatenated method names: 'khju8BZm6S', 'QDoupOsxpD', 'neju5gp4nw', 'mVwuDXOurx', 'AP2ucO5ww1', 'GRguK3OTqw', 'WZyudkoDPA', 'r3Yuf2oba9', 'eiIu3tj5To', 'D0wuLrFvON'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, bmPJCkvxRZ0biGsWep.cs High entropy of concatenated method names: 'CQF5ifFu1O', 'z1r5yTMuSr', 'Jne51G5GsZ', 'qDN5ACnGkE', 'aXa5m4YkqD', 'UIB5SWmRtN', 'kLQ5M8EbIt', 'zk65uthTdn', 'GMd59IoVYH', 'j8k5UAK3FE'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, N6InL94UlvEinA1O1jx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yj0U49BKSv', 'v5mUXYyE53', 'aElURRs8GJ', 'BC9UQENkDm', 'EdaUGmhS1w', 'EaLUnDRZLG', 'IVZUVw9SZ8'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, KC1wtZamGsktrMxJHS.cs High entropy of concatenated method names: 'pn0K8bJKEB', 'EOBK5pPI7d', 'k2bKcpf5mt', 'YbTchGcGyZ', 'h3BczNr3Nu', 'UowKqlDMtE', 'QEOKjqCArh', 'kMtK75PnCB', 'PLAKFTZj3s', 'GBvKBcLiEU'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, YHZGZmtud5qs1b81Hm.cs High entropy of concatenated method names: 'DTgcHSREws', 'bsNcbntoRV', 'WPqcZCDTS8', 'eB2ciple79', 'PNmcy64RGO', 'SrxcwpRAfn', 'VshcAZXE3r', 'lLtcEBS4PY', 'AW7BNL5uqdj42FSS8YN', 'LRJGFm5e0101PufXTiB'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, xp0TTnCEDMiZTN5mCF.cs High entropy of concatenated method names: 'y7Q9jNlevm', 'CGe9FYJXIj', 'XaN9BGOJce', 'OWo9892RjW', 'BDK9pq19Ko', 'tNk9DrqBs7', 'cBk9cpg81D', 'SsnuVfEPXK', 'hUhuCEW7dP', 'EZruxC86D9'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, Dm2Aa1KN8NCRa2S116.cs High entropy of concatenated method names: 'DqWmPgEVvI', 'JFFmTD6Gqt', 'stwm4tJnlB', 'TuvmXMIf2F', 'JGbmergLkt', 'GommtF6Qi6', 'JvOmgoqAOL', 'd1omJ8cZG2', 'v4CmaBHbeY', 'P0Am08FLAx'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, QrapHu4bTYdeWhiBv34.cs High entropy of concatenated method names: 'MtL9bmEOyB', 'rYN9sVySMn', 'vu59ZQGavL', 'wIH9ijo2Zk', 'hv09Is9hsE', 'NM89yt9heb', 'wOh9w5ZT61', 'QgK91IctX3', 'fVm9AZ8bQt', 'O229Ej1HuM'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, A6MLiKBRyMujdf4xuU.cs High entropy of concatenated method names: 'fZWjKlvPpC', 'qSkjdKtY9I', 'eX7j3Xgyf6', 'wmdjLK0VKJ', 'EvWjmNeVey', 'J5wjSxR61i', 'YpkW6iFQGX7lA4bpU7', 'hSc09BxJuG4rW8LpYM', 'RUBjj8mj5e', 'iALjF00D7I'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, ddU9BNIepTqiYiDSNe.cs High entropy of concatenated method names: 'ToString', 'RgsSWurqnc', 'n0ZSeww0Ls', 'FPEStuSK6a', 'CcSSgCT38J', 'EVqSJjRUgb', 'B7bSalfqZ0', 'N7cS0xB4sq', 'mDASN606bI', 'QsrS6L6rCW'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs High entropy of concatenated method names: 'MCpF2gwF2Y', 'QMFF83KnJV', 'OcxFp9x8lF', 'C9iF5RrC5r', 'WjoFDckhNi', 'ovlFc68W9Z', 'xr6FK2qnmD', 'k9XFdwKR7s', 'zyuFfnlxlU', 'RiTF3qyEGj'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, M0VWMlW1XLOoXZdsFT.cs High entropy of concatenated method names: 'LlLM3LIay6', 'IeWMLxlH4M', 'ToString', 'YOnM8OKuFH', 'KXoMpZFTJN', 'cVfM5cmakJ', 'm7lMDD4ifU', 'sbnMc3QUNv', 'unWMK4hXTS', 'CGMMdaD4Ky'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, yHJiJiM1egwcK8Tpms.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gel7xVHfat', 'frb7h5Advd', 'NcZ7zGW2qY', 'nkeFqlu1XR', 'pA3Fj3U7ke', 'UHHF7Ccixp', 'QMHFFM3s6b', 'En9uIYKcHWU07GO99rk'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, OjtXevgflriv064PBT.cs High entropy of concatenated method names: 'tPZMC3O3kO', 'iXuMhrH52F', 'mfXuqnUD1d', 'mYHuj5empF', 'faJMWBPhxG', 'fLaMThJy9E', 'PdiMvm2o04', 'Hv3M4LbtKk', 'QbgMXtoM7Z', 'OErMReRsvY'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, N98lf8z4IoKp8QYGYE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ueM9lq2ERr', 'Wnl9mFZwyT', 'Lqy9SiMUqR', 'TZ09MAwOjM', 'I4o9ut758p', 'F4V99DWYFC', 'CGv9U4rwfP'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, w5I2yQcLxXelSwIFPi.cs High entropy of concatenated method names: 'Dispose', 'gPxjxhEliC', 'Ft87eEtsyT', 'vM1OOMEmqN', 'D3hjhAK1OW', 'Umojz1CJPs', 'ProcessDialogKey', 'zpt7qprMtj', 'NjZ7jHvBy1', 'H1e774lvat'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, IalQVsoXW2uguJbXwL.cs High entropy of concatenated method names: 'UfoZNYu9T', 'LmYiIHLoh', 'EX9y4SqrO', 'xr1wfaOWF', 'BuTANytUO', 'Sx2EMARek', 'UevhZGJSnCMPgTlwcy', 'gwrG7uk1RM5IhjM7Mw', 'lkEuZPa5j', 'FG8Ullk38'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, zm8M94O2ty4UIhePqx.cs High entropy of concatenated method names: 'prKKbYLagH', 'fc7KsNvH8V', 'xRZKZLUm2t', 'nxOKiO2eEr', 'uH8KIjPl0P', 'FNJKyJt4Ea', 'NuPKwXXeH4', 'y1yK1xsKJp', 'SYEKASAAUn', 'TWcKE8kZGM'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, itB6mEiuYAhrSJUq77.cs High entropy of concatenated method names: 'WVYurkZDfk', 'kZEueuEPeT', 'iQ3utGpMgM', 'coHugOmDF2', 'ODPu4ZAJmf', 'HfeuJGgpE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, cqZD1FH9amU9k1wEc9.cs High entropy of concatenated method names: 'YyNc2Zm8PF', 'l2KcpOuMZE', 'UwOcDg7ZQV', 'HnycK4dOti', 'XUpcdfgAEa', 'A6eDGhDvtV', 'kNbDnFaP9F', 'dFWDVOvPEu', 'OrqDCPREJ8', 'RFkDx4nTVe'
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 2A80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 7720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 6F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 8820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 9820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 2CF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Purchase Order.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Purchase Order.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order.exe Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420781 Sample: Purchase Order.exe Startdate: 05/04/2024 Architecture: WINDOWS Score: 100 16 checkip.dyndns.org 2->16 18 checkip.dyndns.com 2->18 22 Multi AV Scanner detection for domain / URL 2->22 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 8 other signatures 2->28 8 Purchase Order.exe 3 2->8         started        signatures3 process4 signatures5 30 Injects a PE file into a foreign processes 8->30 11 Purchase Order.exe 15 2 8->11         started        process6 dnsIp7 20 checkip.dyndns.com 132.226.8.169, 49709, 80 UTMEMUS United States 11->20 14 WerFault.exe 19 16 11->14         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown