Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name:	Purchase Order.exe
Analysis ID:	1420781
MD5:	25a46527b42b425083fe4778768f2073
SHA1:	837219cc634a58cb7c10be9a5d6759562eb8d3f3
SHA256:	190504e991bb8bb608cf87db9ee7c7549999a17970251490ce85282f85cb49aa
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 25A46527B42B425083FE4778768F2073)

Purchase Order.exe (PID: 5744 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 25A46527B42B425083FE4778768F2073)

WerFault.exe (PID: 2748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14782:$a1: get_encryptedPassword 0x14a78:$a2: get_encryptedUsername 0x1458e:$a3: get_timePasswordChanged 0x14689:$a4: get_passwordField 0x14798:$a5: set_encryptedPassword 0x15d9b:$a7: get_logins 0x15cfe:$a10: KeyLoggerEventArgs 0x15997:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c0:$x1: $%SMTPDV$ 0x18124:$x2: $#TheHashHere%& 0x1975f:$x3: %FTPDV$ 0x19853:$x4: $%TelegramDv$ 0x15997:$x5: KeyLoggerEventArgs 0x15cfe:$x5: KeyLoggerEventArgs 0x19783:$m2: Clipboard Logs ID 0x1994f:$m2: Screenshot Logs ID 0x19a1b:$m2: keystroke Logs ID 0x19927:$m4: \SnakeKeylogger\
00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe251a:$a1: get_encryptedPassword 0x102d3a:$a1: get_encryptedPassword 0x12335a:$a1: get_encryptedPassword 0xe2810:$a2: get_encryptedUsername 0x103030:$a2: get_encryptedUsername 0x123650:$a2: get_encryptedUsername 0xe2326:$a3: get_timePasswordChanged 0x102b46:$a3: get_timePasswordChanged 0x123166:$a3: get_timePasswordChanged 0xe2421:$a4: get_passwordField 0x102c41:$a4: get_passwordField 0x123261:$a4: get_passwordField 0xe2530:$a5: set_encryptedPassword 0x102d50:$a5: set_encryptedPassword 0x123370:$a5: set_encryptedPassword 0xe3b33:$a7: get_logins 0x104353:$a7: get_logins 0x124973:$a7: get_logins 0xe3a96:$a10: KeyLoggerEventArgs 0x1042b6:$a10: KeyLoggerEventArgs 0x1248d6:$a10: KeyLoggerEventArgs
00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe5e58:$x1: $%SMTPDV$ 0x106678:$x1: $%SMTPDV$ 0x126c98:$x1: $%SMTPDV$ 0xe5ebc:$x2: $#TheHashHere%& 0x1066dc:$x2: $#TheHashHere%& 0x126cfc:$x2: $#TheHashHere%& 0xe74f7:$x3: %FTPDV$ 0x107d17:$x3: %FTPDV$ 0x128337:$x3: %FTPDV$ 0xe75eb:$x4: $%TelegramDv$ 0x107e0b:$x4: $%TelegramDv$ 0x12842b:$x4: $%TelegramDv$ 0xe372f:$x5: KeyLoggerEventArgs 0xe3a96:$x5: KeyLoggerEventArgs 0x103f4f:$x5: KeyLoggerEventArgs 0x1042b6:$x5: KeyLoggerEventArgs 0x12456f:$x5: KeyLoggerEventArgs 0x1248d6:$x5: KeyLoggerEventArgs 0xe751b:$m2: Clipboard Logs ID 0xe76e7:$m2: Screenshot Logs ID 0xe77b3:$m2: keystroke Logs ID
00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 6368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 6368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order.exe PID: 6368	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 6368	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f6a6:$a1: get_encryptedPassword 0x3f992:$a2: get_encryptedUsername 0x3f4bc:$a3: get_timePasswordChanged 0x3f5b7:$a4: get_passwordField 0x3f6bc:$a5: set_encryptedPassword 0x41c04:$a7: get_logins 0x41b67:$a10: KeyLoggerEventArgs 0x41800:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 6368	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x41800:$x5: KeyLoggerEventArgs 0x41b67:$x5: KeyLoggerEventArgs 0x42455:$x5: KeyLoggerEventArgs 0x42789:$x5: KeyLoggerEventArgs 0x43d89:$m2: Clipboard Logs ID 0x43e69:$m2: Screenshot Logs ID 0x43e9d:$m2: keystroke Logs ID 0x43e55:$m4: \SnakeKeylogger\
Process Memory Space: Purchase Order.exe PID: 5744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order.exe PID: 5744	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order.exe PID: 5744	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127d1:$a1: get_encryptedPassword 0x12abd:$a2: get_encryptedUsername 0x125e7:$a3: get_timePasswordChanged 0x126e2:$a4: get_passwordField 0x127e7:$a5: set_encryptedPassword 0x14d2f:$a7: get_logins 0x14c92:$a10: KeyLoggerEventArgs 0x1492b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order.exe PID: 5744	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1492b:$x5: KeyLoggerEventArgs 0x14c92:$x5: KeyLoggerEventArgs 0x15580:$x5: KeyLoggerEventArgs 0x158b4:$x5: KeyLoggerEventArgs 0x16eb4:$m2: Clipboard Logs ID 0x16f94:$m2: Screenshot Logs ID 0x16fc8:$m2: keystroke Logs ID 0x16f80:$m4: \SnakeKeylogger\
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order.exe.3d4c3b8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.3d4c3b8.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.3d4c3b8.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.3d4c3b8.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.3d4c3b8.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.3d4c3b8.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Purchase Order.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler
3.2.Purchase Order.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c29b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b4cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b900:$a4: \Orbitum\User Data\Default\Login Data 0x1c93f:$a5: \Kometa\User Data\Default\Login Data
3.2.Purchase Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x15534:$s2: SetHook 0x1553c:$s3: CallNextHook 0x15549:$s4: _hook
3.2.Purchase Order.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.3d2bb98.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.3d2bb98.9.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.3d2bb98.9.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12b82:$a1: get_encryptedPassword 0x12e78:$a2: get_encryptedUsername 0x1298e:$a3: get_timePasswordChanged 0x12a89:$a4: get_passwordField 0x12b98:$a5: set_encryptedPassword 0x1419b:$a7: get_logins 0x140fe:$a10: KeyLoggerEventArgs 0x13d97:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.3d2bb98.9.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a49b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x196cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b00:$a4: \Orbitum\User Data\Default\Login Data 0x1ab3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order.exe.3d2bb98.9.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1372d:$s1: UnHook 0x13734:$s2: SetHook 0x1373c:$s3: CallNextHook 0x13749:$s4: _hook
0.2.Purchase Order.exe.3d2bb98.9.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c0:$x1: $%SMTPDV$ 0x16524:$x2: $#TheHashHere%& 0x17b5f:$x3: %FTPDV$ 0x17c53:$x4: $%TelegramDv$ 0x13d97:$x5: KeyLoggerEventArgs 0x140fe:$x5: KeyLoggerEventArgs 0x17b83:$m2: Clipboard Logs ID 0x17d4f:$m2: Screenshot Logs ID 0x17e1b:$m2: keystroke Logs ID 0x17d27:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x34fa2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35298:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34dae:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x34ea9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x34fb8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x365bb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3651e:$a10: KeyLoggerEventArgs 0x15b97:$a11: KeyLoggerEventArgsEventHandler 0x361b7:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35b4d:$s1: UnHook 0x15534:$s2: SetHook 0x35b54:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35b5c:$s3: CallNextHook 0x15549:$s4: _hook 0x35b69:$s4: _hook
0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x388e0:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38944:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x39f7f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a073:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x361b7:$x5: KeyLoggerEventArgs 0x3651e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID 0x39fa3:$m2: Clipboard Logs ID 0x3a16f:$m2: Screenshot Logs ID 0x3a23b:$m2: keystroke Logs ID 0x19b27:$m4: \SnakeKeylogger\ 0x3a147:$m4: \SnakeKeylogger\
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14982:$a1: get_encryptedPassword 0x351a2:$a1: get_encryptedPassword 0x557c2:$a1: get_encryptedPassword 0x14c78:$a2: get_encryptedUsername 0x35498:$a2: get_encryptedUsername 0x55ab8:$a2: get_encryptedUsername 0x1478e:$a3: get_timePasswordChanged 0x34fae:$a3: get_timePasswordChanged 0x555ce:$a3: get_timePasswordChanged 0x14889:$a4: get_passwordField 0x350a9:$a4: get_passwordField 0x556c9:$a4: get_passwordField 0x14998:$a5: set_encryptedPassword 0x351b8:$a5: set_encryptedPassword 0x557d8:$a5: set_encryptedPassword 0x15f9b:$a7: get_logins 0x367bb:$a7: get_logins 0x56ddb:$a7: get_logins 0x15efe:$a10: KeyLoggerEventArgs 0x3671e:$a10: KeyLoggerEventArgs 0x56d3e:$a10: KeyLoggerEventArgs
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1552d:$s1: UnHook 0x35d4d:$s1: UnHook 0x5636d:$s1: UnHook 0x15534:$s2: SetHook 0x35d54:$s2: SetHook 0x56374:$s2: SetHook 0x1553c:$s3: CallNextHook 0x35d5c:$s3: CallNextHook 0x5637c:$s3: CallNextHook 0x15549:$s4: _hook 0x35d69:$s4: _hook 0x56389:$s4: _hook
0.2.Purchase Order.exe.3d2bb98.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c0:$x1: $%SMTPDV$ 0x38ae0:$x1: $%SMTPDV$ 0x59100:$x1: $%SMTPDV$ 0x18324:$x2: $#TheHashHere%& 0x38b44:$x2: $#TheHashHere%& 0x59164:$x2: $#TheHashHere%& 0x1995f:$x3: %FTPDV$ 0x3a17f:$x3: %FTPDV$ 0x5a79f:$x3: %FTPDV$ 0x19a53:$x4: $%TelegramDv$ 0x3a273:$x4: $%TelegramDv$ 0x5a893:$x4: $%TelegramDv$ 0x15b97:$x5: KeyLoggerEventArgs 0x15efe:$x5: KeyLoggerEventArgs 0x363b7:$x5: KeyLoggerEventArgs 0x3671e:$x5: KeyLoggerEventArgs 0x569d7:$x5: KeyLoggerEventArgs 0x56d3e:$x5: KeyLoggerEventArgs 0x19983:$m2: Clipboard Logs ID 0x19b4f:$m2: Screenshot Logs ID 0x19c1b:$m2: keystroke Logs ID
Click to see the 26 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://scratchdreams.tk

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "tslogs@mksiimst.com", "Password": "EbxKZL@2", "Host": "us2.smtp.mailhostbox.com ", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: https://scratchdreams.tk

Virustotal: Detection: 15%

Perma Link

Multi AV Scanner detection for submitted file

Source: Purchase Order.exe	ReversingLabs: Detection: 28%
Source: Purchase Order.exe	Virustotal: Detection: 33%			Perma Link

Machine Learning detection for sample

Source: Purchase Order.exe

Joe Sandbox ML: detected

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\Desktop\Purchase Order.PDB source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: n.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ydwx.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: System.Configuration.pdb8S source: WER9980.tmp.dmp.6.dr
Source:	Binary string: ydwx.pdbs\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbM source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ydwx.pdbum source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: nDC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb-m source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbmm source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\ydwx.pdbdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ydwx.pdbH source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: nC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp, WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ydwx.pdbon source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: ydwx.pdb source: Purchase Order.exe
Source:	Binary string: symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsdCEscolha
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00EADE0C	0_2_00EADE0C
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F147F0	0_2_06F147F0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F147E2	0_2_06F147E2
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F130E8	0_2_06F130E8
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F130D9	0_2_06F130D9
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F15060	0_2_06F15060
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F10006	0_2_06F10006
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F12CB0	0_2_06F12CB0
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F14C28	0_2_06F14C28
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F14C1A	0_2_06F14C1A
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F19D6C	0_2_06F19D6C
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_016235CA	3_2_016235CA
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 3_2_016221B4	3_2_016221B4

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516

Source: Purchase Order.exe, 00000000.00000002.2036617671.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2035028579.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000000.1975610638.00000000005D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameydwx.exeR vs Purchase Order.exe
Source: Purchase Order.exe, 00000000.00000002.2038406598.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order.exe
Source: Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order.exe
Source: Purchase Order.exe	Binary or memory string: OriginalFilenameydwx.exeR vs Purchase Order.exe

Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, NGtW9mR6Cee8uYqSK0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, NGtW9mR6Cee8uYqSK0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	Security API names: _0020.AddAccessRule

Source: 0.2.Purchase Order.exe.5230000.11.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2ab632c.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2b02944.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Purchase Order.exe.2abe344.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@1/1

Source: C:\Users\user\Desktop\Purchase Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f2dbadf2-782e-4c54-a631-1e82bb95e774

Jump to behavior

Source: Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order.exe	ReversingLabs: Detection: 28%
Source: Purchase Order.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\Purchase Order.exe

File read: C:\Users\user\Desktop\Purchase Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516
Source: C:\Users\user\Desktop\Purchase Order.exe	Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\Desktop\Purchase Order.PDB source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: n.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ydwx.pdbSHA256 source: Purchase Order.exe
Source:	Binary string: System.Configuration.pdb8S source: WER9980.tmp.dmp.6.dr
Source:	Binary string: ydwx.pdbs\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbM source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ydwx.pdbum source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: nDC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb-m source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbmm source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\ydwx.pdbdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ydwx.pdbH source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: nC:\Users\user\Desktop\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp, WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ydwx.pdbon source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205493610.00000000012D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: ydwx.pdb source: Purchase Order.exe
Source:	Binary string: symbols\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\ydwx.pdbpdbdwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2204985960.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9980.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9980.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ydwx.pdb source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Purchase Order.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.Purchase Order.exe.5060000.10.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.5060000.10.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.2aa4e90.6.raw.unpack, nL.cs	.Net Code: sf
Source: 0.2.Purchase Order.exe.2aa4e90.6.raw.unpack, nL.cs	.Net Code: wb System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	.Net Code: eSHBZKoPfD System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	.Net Code: eSHBZKoPfD System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_00EA5DCB pushad ; iretd		0_2_00EA5DD9
Source: C:\Users\user\Desktop\Purchase Order.exe	Code function: 0_2_06F17C22 push es; retf		0_2_06F17C24

Source: Purchase Order.exe

Static PE information: section name: .text entropy: 7.939183932107505

Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, NGtW9mR6Cee8uYqSK0.cs	High entropy of concatenated method names: 'fbXp4Gnw3s', 'bTIpX3VQcW', 'niUpRjoXv7', 'a9RpQlQiRj', 'pCQpGbEl8t', 'wKKpnTR70y', 'UvPpVc5VQX', 'cfLpCKfhbj', 'XxBpxXERkY', 'Wp5phDbj4d'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, uoIBHmFPkhUFQerbYn.cs	High entropy of concatenated method names: 'IPvl1OSdbU', 'iv6lAul8sA', 'S5LlrTwXBu', 'V7Ylev95Iv', 'zJllgLV9CA', 'Y1alJuhpQh', 'Qh8l00KHLF', 'idElN1XpTc', 'lFQlPjK4FR', 'CTZlWrKB1b'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, E1vSHmxrHlqTsNUgxd.cs	High entropy of concatenated method names: 'khju8BZm6S', 'QDoupOsxpD', 'neju5gp4nw', 'mVwuDXOurx', 'AP2ucO5ww1', 'GRguK3OTqw', 'WZyudkoDPA', 'r3Yuf2oba9', 'eiIu3tj5To', 'D0wuLrFvON'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, bmPJCkvxRZ0biGsWep.cs	High entropy of concatenated method names: 'CQF5ifFu1O', 'z1r5yTMuSr', 'Jne51G5GsZ', 'qDN5ACnGkE', 'aXa5m4YkqD', 'UIB5SWmRtN', 'kLQ5M8EbIt', 'zk65uthTdn', 'GMd59IoVYH', 'j8k5UAK3FE'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, N6InL94UlvEinA1O1jx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yj0U49BKSv', 'v5mUXYyE53', 'aElURRs8GJ', 'BC9UQENkDm', 'EdaUGmhS1w', 'EaLUnDRZLG', 'IVZUVw9SZ8'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, KC1wtZamGsktrMxJHS.cs	High entropy of concatenated method names: 'pn0K8bJKEB', 'EOBK5pPI7d', 'k2bKcpf5mt', 'YbTchGcGyZ', 'h3BczNr3Nu', 'UowKqlDMtE', 'QEOKjqCArh', 'kMtK75PnCB', 'PLAKFTZj3s', 'GBvKBcLiEU'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, YHZGZmtud5qs1b81Hm.cs	High entropy of concatenated method names: 'DTgcHSREws', 'bsNcbntoRV', 'WPqcZCDTS8', 'eB2ciple79', 'PNmcy64RGO', 'SrxcwpRAfn', 'VshcAZXE3r', 'lLtcEBS4PY', 'AW7BNL5uqdj42FSS8YN', 'LRJGFm5e0101PufXTiB'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, xp0TTnCEDMiZTN5mCF.cs	High entropy of concatenated method names: 'y7Q9jNlevm', 'CGe9FYJXIj', 'XaN9BGOJce', 'OWo9892RjW', 'BDK9pq19Ko', 'tNk9DrqBs7', 'cBk9cpg81D', 'SsnuVfEPXK', 'hUhuCEW7dP', 'EZruxC86D9'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, Dm2Aa1KN8NCRa2S116.cs	High entropy of concatenated method names: 'DqWmPgEVvI', 'JFFmTD6Gqt', 'stwm4tJnlB', 'TuvmXMIf2F', 'JGbmergLkt', 'GommtF6Qi6', 'JvOmgoqAOL', 'd1omJ8cZG2', 'v4CmaBHbeY', 'P0Am08FLAx'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, QrapHu4bTYdeWhiBv34.cs	High entropy of concatenated method names: 'MtL9bmEOyB', 'rYN9sVySMn', 'vu59ZQGavL', 'wIH9ijo2Zk', 'hv09Is9hsE', 'NM89yt9heb', 'wOh9w5ZT61', 'QgK91IctX3', 'fVm9AZ8bQt', 'O229Ej1HuM'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, A6MLiKBRyMujdf4xuU.cs	High entropy of concatenated method names: 'fZWjKlvPpC', 'qSkjdKtY9I', 'eX7j3Xgyf6', 'wmdjLK0VKJ', 'EvWjmNeVey', 'J5wjSxR61i', 'YpkW6iFQGX7lA4bpU7', 'hSc09BxJuG4rW8LpYM', 'RUBjj8mj5e', 'iALjF00D7I'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, ddU9BNIepTqiYiDSNe.cs	High entropy of concatenated method names: 'ToString', 'RgsSWurqnc', 'n0ZSeww0Ls', 'FPEStuSK6a', 'CcSSgCT38J', 'EVqSJjRUgb', 'B7bSalfqZ0', 'N7cS0xB4sq', 'mDASN606bI', 'QsrS6L6rCW'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	High entropy of concatenated method names: 'MCpF2gwF2Y', 'QMFF83KnJV', 'OcxFp9x8lF', 'C9iF5RrC5r', 'WjoFDckhNi', 'ovlFc68W9Z', 'xr6FK2qnmD', 'k9XFdwKR7s', 'zyuFfnlxlU', 'RiTF3qyEGj'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, M0VWMlW1XLOoXZdsFT.cs	High entropy of concatenated method names: 'LlLM3LIay6', 'IeWMLxlH4M', 'ToString', 'YOnM8OKuFH', 'KXoMpZFTJN', 'cVfM5cmakJ', 'm7lMDD4ifU', 'sbnMc3QUNv', 'unWMK4hXTS', 'CGMMdaD4Ky'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, yHJiJiM1egwcK8Tpms.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gel7xVHfat', 'frb7h5Advd', 'NcZ7zGW2qY', 'nkeFqlu1XR', 'pA3Fj3U7ke', 'UHHF7Ccixp', 'QMHFFM3s6b', 'En9uIYKcHWU07GO99rk'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, OjtXevgflriv064PBT.cs	High entropy of concatenated method names: 'tPZMC3O3kO', 'iXuMhrH52F', 'mfXuqnUD1d', 'mYHuj5empF', 'faJMWBPhxG', 'fLaMThJy9E', 'PdiMvm2o04', 'Hv3M4LbtKk', 'QbgMXtoM7Z', 'OErMReRsvY'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, N98lf8z4IoKp8QYGYE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ueM9lq2ERr', 'Wnl9mFZwyT', 'Lqy9SiMUqR', 'TZ09MAwOjM', 'I4o9ut758p', 'F4V99DWYFC', 'CGv9U4rwfP'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, w5I2yQcLxXelSwIFPi.cs	High entropy of concatenated method names: 'Dispose', 'gPxjxhEliC', 'Ft87eEtsyT', 'vM1OOMEmqN', 'D3hjhAK1OW', 'Umojz1CJPs', 'ProcessDialogKey', 'zpt7qprMtj', 'NjZ7jHvBy1', 'H1e774lvat'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, IalQVsoXW2uguJbXwL.cs	High entropy of concatenated method names: 'UfoZNYu9T', 'LmYiIHLoh', 'EX9y4SqrO', 'xr1wfaOWF', 'BuTANytUO', 'Sx2EMARek', 'UevhZGJSnCMPgTlwcy', 'gwrG7uk1RM5IhjM7Mw', 'lkEuZPa5j', 'FG8Ullk38'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, zm8M94O2ty4UIhePqx.cs	High entropy of concatenated method names: 'prKKbYLagH', 'fc7KsNvH8V', 'xRZKZLUm2t', 'nxOKiO2eEr', 'uH8KIjPl0P', 'FNJKyJt4Ea', 'NuPKwXXeH4', 'y1yK1xsKJp', 'SYEKASAAUn', 'TWcKE8kZGM'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, itB6mEiuYAhrSJUq77.cs	High entropy of concatenated method names: 'WVYurkZDfk', 'kZEueuEPeT', 'iQ3utGpMgM', 'coHugOmDF2', 'ODPu4ZAJmf', 'HfeuJGgpE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.3d97540.8.raw.unpack, cqZD1FH9amU9k1wEc9.cs	High entropy of concatenated method names: 'YyNc2Zm8PF', 'l2KcpOuMZE', 'UwOcDg7ZQV', 'HnycK4dOti', 'XUpcdfgAEa', 'A6eDGhDvtV', 'kNbDnFaP9F', 'dFWDVOvPEu', 'OrqDCPREJ8', 'RFkDx4nTVe'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, NGtW9mR6Cee8uYqSK0.cs	High entropy of concatenated method names: 'fbXp4Gnw3s', 'bTIpX3VQcW', 'niUpRjoXv7', 'a9RpQlQiRj', 'pCQpGbEl8t', 'wKKpnTR70y', 'UvPpVc5VQX', 'cfLpCKfhbj', 'XxBpxXERkY', 'Wp5phDbj4d'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, uoIBHmFPkhUFQerbYn.cs	High entropy of concatenated method names: 'IPvl1OSdbU', 'iv6lAul8sA', 'S5LlrTwXBu', 'V7Ylev95Iv', 'zJllgLV9CA', 'Y1alJuhpQh', 'Qh8l00KHLF', 'idElN1XpTc', 'lFQlPjK4FR', 'CTZlWrKB1b'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, E1vSHmxrHlqTsNUgxd.cs	High entropy of concatenated method names: 'khju8BZm6S', 'QDoupOsxpD', 'neju5gp4nw', 'mVwuDXOurx', 'AP2ucO5ww1', 'GRguK3OTqw', 'WZyudkoDPA', 'r3Yuf2oba9', 'eiIu3tj5To', 'D0wuLrFvON'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, bmPJCkvxRZ0biGsWep.cs	High entropy of concatenated method names: 'CQF5ifFu1O', 'z1r5yTMuSr', 'Jne51G5GsZ', 'qDN5ACnGkE', 'aXa5m4YkqD', 'UIB5SWmRtN', 'kLQ5M8EbIt', 'zk65uthTdn', 'GMd59IoVYH', 'j8k5UAK3FE'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, N6InL94UlvEinA1O1jx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yj0U49BKSv', 'v5mUXYyE53', 'aElURRs8GJ', 'BC9UQENkDm', 'EdaUGmhS1w', 'EaLUnDRZLG', 'IVZUVw9SZ8'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, KC1wtZamGsktrMxJHS.cs	High entropy of concatenated method names: 'pn0K8bJKEB', 'EOBK5pPI7d', 'k2bKcpf5mt', 'YbTchGcGyZ', 'h3BczNr3Nu', 'UowKqlDMtE', 'QEOKjqCArh', 'kMtK75PnCB', 'PLAKFTZj3s', 'GBvKBcLiEU'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, YHZGZmtud5qs1b81Hm.cs	High entropy of concatenated method names: 'DTgcHSREws', 'bsNcbntoRV', 'WPqcZCDTS8', 'eB2ciple79', 'PNmcy64RGO', 'SrxcwpRAfn', 'VshcAZXE3r', 'lLtcEBS4PY', 'AW7BNL5uqdj42FSS8YN', 'LRJGFm5e0101PufXTiB'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, xp0TTnCEDMiZTN5mCF.cs	High entropy of concatenated method names: 'y7Q9jNlevm', 'CGe9FYJXIj', 'XaN9BGOJce', 'OWo9892RjW', 'BDK9pq19Ko', 'tNk9DrqBs7', 'cBk9cpg81D', 'SsnuVfEPXK', 'hUhuCEW7dP', 'EZruxC86D9'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, Dm2Aa1KN8NCRa2S116.cs	High entropy of concatenated method names: 'DqWmPgEVvI', 'JFFmTD6Gqt', 'stwm4tJnlB', 'TuvmXMIf2F', 'JGbmergLkt', 'GommtF6Qi6', 'JvOmgoqAOL', 'd1omJ8cZG2', 'v4CmaBHbeY', 'P0Am08FLAx'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, QrapHu4bTYdeWhiBv34.cs	High entropy of concatenated method names: 'MtL9bmEOyB', 'rYN9sVySMn', 'vu59ZQGavL', 'wIH9ijo2Zk', 'hv09Is9hsE', 'NM89yt9heb', 'wOh9w5ZT61', 'QgK91IctX3', 'fVm9AZ8bQt', 'O229Ej1HuM'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, A6MLiKBRyMujdf4xuU.cs	High entropy of concatenated method names: 'fZWjKlvPpC', 'qSkjdKtY9I', 'eX7j3Xgyf6', 'wmdjLK0VKJ', 'EvWjmNeVey', 'J5wjSxR61i', 'YpkW6iFQGX7lA4bpU7', 'hSc09BxJuG4rW8LpYM', 'RUBjj8mj5e', 'iALjF00D7I'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, ddU9BNIepTqiYiDSNe.cs	High entropy of concatenated method names: 'ToString', 'RgsSWurqnc', 'n0ZSeww0Ls', 'FPEStuSK6a', 'CcSSgCT38J', 'EVqSJjRUgb', 'B7bSalfqZ0', 'N7cS0xB4sq', 'mDASN606bI', 'QsrS6L6rCW'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, FyuJ0fZT8QkGKLbO0a.cs	High entropy of concatenated method names: 'MCpF2gwF2Y', 'QMFF83KnJV', 'OcxFp9x8lF', 'C9iF5RrC5r', 'WjoFDckhNi', 'ovlFc68W9Z', 'xr6FK2qnmD', 'k9XFdwKR7s', 'zyuFfnlxlU', 'RiTF3qyEGj'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, M0VWMlW1XLOoXZdsFT.cs	High entropy of concatenated method names: 'LlLM3LIay6', 'IeWMLxlH4M', 'ToString', 'YOnM8OKuFH', 'KXoMpZFTJN', 'cVfM5cmakJ', 'm7lMDD4ifU', 'sbnMc3QUNv', 'unWMK4hXTS', 'CGMMdaD4Ky'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, yHJiJiM1egwcK8Tpms.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gel7xVHfat', 'frb7h5Advd', 'NcZ7zGW2qY', 'nkeFqlu1XR', 'pA3Fj3U7ke', 'UHHF7Ccixp', 'QMHFFM3s6b', 'En9uIYKcHWU07GO99rk'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, OjtXevgflriv064PBT.cs	High entropy of concatenated method names: 'tPZMC3O3kO', 'iXuMhrH52F', 'mfXuqnUD1d', 'mYHuj5empF', 'faJMWBPhxG', 'fLaMThJy9E', 'PdiMvm2o04', 'Hv3M4LbtKk', 'QbgMXtoM7Z', 'OErMReRsvY'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, N98lf8z4IoKp8QYGYE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ueM9lq2ERr', 'Wnl9mFZwyT', 'Lqy9SiMUqR', 'TZ09MAwOjM', 'I4o9ut758p', 'F4V99DWYFC', 'CGv9U4rwfP'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, w5I2yQcLxXelSwIFPi.cs	High entropy of concatenated method names: 'Dispose', 'gPxjxhEliC', 'Ft87eEtsyT', 'vM1OOMEmqN', 'D3hjhAK1OW', 'Umojz1CJPs', 'ProcessDialogKey', 'zpt7qprMtj', 'NjZ7jHvBy1', 'H1e774lvat'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, IalQVsoXW2uguJbXwL.cs	High entropy of concatenated method names: 'UfoZNYu9T', 'LmYiIHLoh', 'EX9y4SqrO', 'xr1wfaOWF', 'BuTANytUO', 'Sx2EMARek', 'UevhZGJSnCMPgTlwcy', 'gwrG7uk1RM5IhjM7Mw', 'lkEuZPa5j', 'FG8Ullk38'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, zm8M94O2ty4UIhePqx.cs	High entropy of concatenated method names: 'prKKbYLagH', 'fc7KsNvH8V', 'xRZKZLUm2t', 'nxOKiO2eEr', 'uH8KIjPl0P', 'FNJKyJt4Ea', 'NuPKwXXeH4', 'y1yK1xsKJp', 'SYEKASAAUn', 'TWcKE8kZGM'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, itB6mEiuYAhrSJUq77.cs	High entropy of concatenated method names: 'WVYurkZDfk', 'kZEueuEPeT', 'iQ3utGpMgM', 'coHugOmDF2', 'ODPu4ZAJmf', 'HfeuJGgpE9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order.exe.6e80000.12.raw.unpack, cqZD1FH9amU9k1wEc9.cs	High entropy of concatenated method names: 'YyNc2Zm8PF', 'l2KcpOuMZE', 'UwOcDg7ZQV', 'HnycK4dOti', 'XUpcdfgAEa', 'A6eDGhDvtV', 'kNbDnFaP9F', 'dFWDVOvPEu', 'OrqDCPREJ8', 'RFkDx4nTVe'

Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 7720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 6F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 8820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 9820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3944

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Purchase Order.exe, 00000003.00000002.2205222662.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order.exe

Memory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR

Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d4c3b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order.exe.3d2bb98.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order.exe PID: 5744, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order.exe	29%	ReversingLabs	Win32.Trojan.Generic
Purchase Order.exe	34%	Virustotal		Browse
Purchase Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
checkip.dyndns.com	0%	Virustotal		Browse
checkip.dyndns.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://tempuri.org/DataSet1.xsdCEscolha	0%	Avira URL Cloud	safe
https://scratchdreams.tk	100%	Avira URL Cloud	malware
http://tempuri.org/DataSet1.xsdCEscolha	3%	Virustotal		Browse
https://scratchdreams.tk	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://checkip.dyndns.org	Purchase Order.exe, 00000003.00000002.2206030183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Purchase Order.exe, 00000003.00000002.2206030183.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsdCEscolha	Purchase Order.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	Purchase Order.exe, 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1420781
Start date and time:	2024-04-05 11:51:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/6@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 44 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target Purchase Order.exe, PID 5744 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:51:54	API Interceptor	1x Sleep call for process: Purchase Order.exe modified
11:52:17	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.1552.3502.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	42bgGNhDFs.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	SD09870GH.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Ordine d'acquisto 9100033466 dal 14022024.iso.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.(170K).pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	rZiraatBankasSwiftMesaj.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lxdriver_setup.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	iCareFone.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	109__Purchase_Order.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1d4D5ndo0x.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	193.122.6.168
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Fuy2BDS9W2.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Purchase Order.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	FGT5000800000.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	z52OURO08765.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.8.169
	8wvP84hzFu.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	23343100IM00270839_Dekont1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	9NdabeH642.elf	Get hash	malicious	Mirai, Moobot	Browse	132.240.147.214
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Purchase Order.e_9c9d8a936f78fc7233192adcce1af5ce3649f62_cf8f988c_d81421a5-7655-44c6-931c-fe982a34b843\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0901823636519925
Encrypted:	false
SSDEEP:	192:3BniCkDpuT0BU/6a6ce36izuiFJZ24IO8x:3BiCkDpuABU/6arVizuiFJY4IO8x
MD5:	DF0B8D5817B1DC12F76686AE93FAFAC5
SHA1:	7565FDFBEAE44C953D873691F91D2D0168B01C55
SHA-256:	AF5B21C7FDBC110E760A261516836CADFE84BF5D5E892FF052639485EE220A7A
SHA-512:	AA61527C5E023AF05402E1745B4786E08A64B85F5F448FB03A827BBCA1620D1E6085840E9288489FAABE515FDED5D7437AAF18116F11F2FEF913DAB02B33245B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.7.8.4.3.2.4.0.8.2.3.8.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.7.8.4.3.2.4.5.9.8.0.0.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.1.4.2.1.a.5.-.7.6.5.5.-.4.4.c.6.-.9.3.1.c.-.f.e.9.8.2.a.3.4.b.8.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.4.3.c.3.4.1.-.1.8.1.3.-.4.a.8.1.-.8.6.c.0.-.8.4.c.c.f.0.0.1.5.9.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.u.r.c.h.a.s.e. .O.r.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.y.d.w.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.0.-.0.0.0.1.-.0.0.1.4.-.7.e.8.a.-.7.6.e.7.3.e.8.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.5.0.f.2.8.7.2.4.1.9.1.e.c.4.a.1.3.3.c.a.a.9.b.b.a.4.f.1.2.3.8.0.0.0.0.0.0.0.0.!.0.0.0.0.8.3.7.2.1.9.c.c.6.3.4.a.5.8.c.b.7.c.1.0.b.e.9.a.5.d.6.7.5.9.5.6.2.e.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9980.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 5 09:52:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	268939
Entropy (8bit):	3.7363079556487633
Encrypted:	false
SSDEEP:	3072:ogwYQUA4uEq7yqLTgHlJjOCxChrFfllWF:obXUA4yyITgHlJjOHr
MD5:	06A26E2E0AE96FBA644B46D8A0AAA0A5
SHA1:	8220E19C43ADF9A24D5618B111CE04D3C3E00CF1
SHA-256:	AF95A82C7BDF097941546DC053CC95C283A14D72B8FD0DDC6F1982AF90D87202
SHA-512:	6F5A00A0D33A1F96348EA153635F0608F0A87E468F899BE37EB54E1209C23F7930ED4C939423DA0FC5D63A9D2558862217BADE37B16C3CB35AC08E0DCEC6216E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............D...............X.......<....#......$%..6S..........`.......8...........T............;..............,$...........&..............................................................................eJ.......&......GenuineIntel............T.......p......f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AA9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6332
Entropy (8bit):	3.722838099930757
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbP+66JYA4xuQE/JpggaM4UO89bNbsfSXvIGm:R6l7wVeJP+66JYA40xprO89bNbsfIvPm
MD5:	DD282D72B36807006BBC309B75865366
SHA1:	ACAEA7DB5BE9854CE1961F9EEC54A1B1511BE55F
SHA-256:	7D1202D9ECCC727E40434F165E7A21F7951812156B39A9CE411BD3D91EEA66B4
SHA-512:	1FA3EE8E8744C297458146D52193B24C3E5DA6D5D0A3600C17FD4294DFE89D7D06D63D5612CAF802F123E68443AA8BA1B4A406A12E9235BE2806016C9B4B87A7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ACA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4674
Entropy (8bit):	4.48108002064066
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPtJg77aI9QiOWpW8VYeZYm8M4Jw+tjFwo+q8LaJXmXOhLo0d:uIjfPHI7zv7V1IJw+4oKy/hLo0d
MD5:	09FF61A0119CA4834417116263136B27
SHA1:	7E0206054B464785A87499C896B081C7D3B9DBF1
SHA-256:	DB0D8D4E3FF3A93CF07575CC902EBC9CB34CA4260A80B94ACD076D67441EEBF1
SHA-512:	F7695EA70448134F835526B7975345BFD06643A72294B70E823AF749750E17DCA16470A06653A862149EA05B889126BE91B50382DDD8A7C214F6D56CFA8396FA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="266454" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

Download File

Process:	C:\Users\user\Desktop\Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4218396381761815
Encrypted:	false
SSDEEP:	6144:9Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNa0uhiTw3:kvloTMW+EZMM6DFyc03w3
MD5:	B3063836AFA14682145AC07C0B1B4F60
SHA1:	A79970DC1003E64F49EE55285F71D062C27CF2EF
SHA-256:	5BAA1551E009234AACB9DF488FFF85E86D21AA70642BEE9CAE6CC1D2F2798787
SHA-512:	B86239DC920518A6322FDE36BE02701CE187A663B077219A18ECAE56E737AE557E37FE0FAAB59F2A4E4FDA2ED7ABAD4628B3263F7CE3032192D46BF9FC48CF92
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~...>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.930875275193581
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order.exe
File size:	536'576 bytes
MD5:	25a46527b42b425083fe4778768f2073
SHA1:	837219cc634a58cb7c10be9a5d6759562eb8d3f3
SHA256:	190504e991bb8bb608cf87db9ee7c7549999a17970251490ce85282f85cb49aa
SHA512:	afc0a18d8fc87168c144d274c7ffc39537a303d6fc02e6aa59d1ea3a116313a4fd6b4c32a91f33ceefcb33917447bd2c3eb2b962da67fffd339d7dee6bc67471
SSDEEP:	12288:JrLz6jG8UHRVVLHxjNFD04RUBFQG27TGS7oukJ0aSahC5ri78c5:0GTHhLB04uGTGOkGaHhCpi7R
TLSH:	C3B4120533A8DB27DCBC47F67016656403B2AABA39D2E1889DC2A0CB5F71F4096E5F47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..&...........D... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4844f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660FA8AB [Fri Apr 5 07:30:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor al, 38h
xor eax, 38483446h
xor al, 47h
dec eax
xor eax, 00003447h
add byte ptr [edx], dh
inc ebx
inc edx
push ebx
aaa
dec eax
xor eax, 00003439h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8449f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x86000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x82240	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x82518	0x82600	8796a58a78fab8a8fe64e7035a63e67f	False	0.9418556747363375	data	7.939183932107505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x86000	0x600	0x600	2e928705684918b55273aa480f3107d6	False	0.4381510416666667	data	4.210370842925874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0xc	0x200	572f070a77c7de371edafcab2822a735	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x86090	0x370	data			0.425
RT_MANIFEST	0x86410	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 11:52:01.492651939 CEST	49709	80	192.168.2.5	132.226.8.169
Apr 5, 2024 11:52:01.777054071 CEST	80	49709	132.226.8.169	192.168.2.5
Apr 5, 2024 11:52:01.777498960 CEST	49709	80	192.168.2.5	132.226.8.169
Apr 5, 2024 11:52:01.777498960 CEST	49709	80	192.168.2.5	132.226.8.169
Apr 5, 2024 11:52:02.062019110 CEST	80	49709	132.226.8.169	192.168.2.5
Apr 5, 2024 11:52:04.634476900 CEST	80	49709	132.226.8.169	192.168.2.5
Apr 5, 2024 11:52:04.690285921 CEST	49709	80	192.168.2.5	132.226.8.169
Apr 5, 2024 11:52:18.478009939 CEST	49709	80	192.168.2.5	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2024 11:52:01.362235069 CEST	61221	53	192.168.2.5	1.1.1.1
Apr 5, 2024 11:52:01.486613035 CEST	53	61221	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 5, 2024 11:52:01.362235069 CEST	192.168.2.5	1.1.1.1	0xc226	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 5, 2024 11:52:01.486613035 CEST	1.1.1.1	192.168.2.5	0xc226	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	132.226.8.169	80	5744	C:\Users\user\Desktop\Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
Apr 5, 2024 11:52:01.777498960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 5, 2024 11:52:04.634476900 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 05 Apr 2024 09:52:04 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 50d5d71fdb7c682628bf696a9055bf20 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	11:51:54
Start date:	05/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0x550000
File size:	536'576 bytes
MD5 hash:	25A46527B42B425083FE4778768F2073
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2036940365.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:52:00
Start date:	05/04/2024
Path:	C:\Users\user\Desktop\Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Imagebase:	0xaa0000
File size:	536'576 bytes
MD5 hash:	25A46527B42B425083FE4778768F2073
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.2204842642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.2206030183.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:52:03
Start date:	05/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1516
Imagebase:	0xb40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	13

Executed Functions

Function 06F10006 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f20d5ada536bc318ba1d32121a6da5f9af663fa2a8956457946ab24816b6a2
Instruction ID: ef4d90d958edf58c945ce51d574a42a7bb28ba2bf6e9ff33822f0aa1e067f89d
Opcode Fuzzy Hash: 83f20d5ada536bc318ba1d32121a6da5f9af663fa2a8956457946ab24816b6a2
Instruction Fuzzy Hash: 66315071C053588FDB19CF66C8553EEBFF6AF89300F04C56AD449AA265DB78098ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD2F0 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EAD37E
GetCurrentThread.KERNEL32 ref: 00EAD3BB
GetCurrentProcess.KERNEL32 ref: 00EAD3F8
GetCurrentThreadId.KERNEL32 ref: 00EAD451

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fcb0aab7bb4b9aec60513c986f544839507bb4e2f5f4946640387ecea4bba50f
Instruction ID: 13df30f918a6cee0183dece130a15942f90c1e97726b073ad36d10a03d659590
Opcode Fuzzy Hash: fcb0aab7bb4b9aec60513c986f544839507bb4e2f5f4946640387ecea4bba50f
Instruction Fuzzy Hash: C65187B0900349CFDB14CFAAC948B9EBBF1EF8D314F208459E419BB250DB74A845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD300 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EAD37E
GetCurrentThread.KERNEL32 ref: 00EAD3BB
GetCurrentProcess.KERNEL32 ref: 00EAD3F8
GetCurrentThreadId.KERNEL32 ref: 00EAD451

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fc782b5219197bddefa40bbe9a74cdc9032bcbeb95a009c7bcaf99b762bcb25c
Instruction ID: bdff271b7d93a67d95a5d6d95c3ffd9f9dd0b2dae9617d54613b96409d5b21d9
Opcode Fuzzy Hash: fc782b5219197bddefa40bbe9a74cdc9032bcbeb95a009c7bcaf99b762bcb25c
Instruction Fuzzy Hash: 895155B1900349CFDB14CFAAD948B9EBBF1EF8D314F208459E419BB250DB74A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06F15D4C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F15F8E

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fe0f3dc6f635f0c3071bc1764ea986b3d6bb537cfaff87554e0dcbd2bb7fb6a7
Instruction ID: f00913495a059c276e7726088b381e7155152f79ed421d931e4ecd2040e1fde5
Opcode Fuzzy Hash: fe0f3dc6f635f0c3071bc1764ea986b3d6bb537cfaff87554e0dcbd2bb7fb6a7
Instruction Fuzzy Hash: 8CA16DB1D00619CFDB54CF68C881BEDBBB2FF48310F148569E819AB240DB759A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F15D58 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F15F8E

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5fa5ea464dd35bbbf8b978f74c26775ae6988ab6444abc7a732b67ff2564f5ea
Instruction ID: 7711fdca960b3ac7970592cb5d92b215c2403112ec89dcf6ffa5d6576f524296
Opcode Fuzzy Hash: 5fa5ea464dd35bbbf8b978f74c26775ae6988ab6444abc7a732b67ff2564f5ea
Instruction Fuzzy Hash: B4917CB1D00619CFDB54CF68C881BEDBBB2FF48310F148569E819AB240DB759A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB068 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EAB2BE

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 564cf418ef316844a00a1fa3274937e33f9f5274b121eae0c92e0a5394ae0f42
Instruction ID: 793a8b353c232ba3500a895e6ac15b6b73b6f783a627d794cc7c125394f37959
Opcode Fuzzy Hash: 564cf418ef316844a00a1fa3274937e33f9f5274b121eae0c92e0a5394ae0f42
Instruction Fuzzy Hash: 967123B0A00B058FD724DF2AD45575ABBF1FF89304F008A2AE48AABA51D775F945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EA590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EA59C9

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09bb402a881d480281f7077c6e650c0aab2637a91d42d653319987795f44c86e
Instruction ID: e6f4c335d6111883a9b652573738e7695dc524a8c22c55660971f28aebae8d52
Opcode Fuzzy Hash: 09bb402a881d480281f7077c6e650c0aab2637a91d42d653319987795f44c86e
Instruction Fuzzy Hash: 4141EFB1C00719CEDB24CFA9C885ADEBBF5BF49304F20815AD809AB251DB71694ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EA59C9

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 39e8194b52712802c277f4ca1665132659b453497a906346815b820149a9997e
Instruction ID: bacd465bebbed9402158b2f071bf16d9ab99e24e51cf601154d50abf9e27a94d
Opcode Fuzzy Hash: 39e8194b52712802c277f4ca1665132659b453497a906346815b820149a9997e
Instruction Fuzzy Hash: AF41DFB1D00719CBDB24CFA9C884BDEBBF5BF89304F20816AD409AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06F15AC8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F15B60

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c50b13252bd7944302893ce7ce1ab55a605429aa0504d470547830ec58f42b5f
Instruction ID: 37b5ce6c11f9f16ee718b52bc6f6991bb45565afde9170e7d512faa09c289420
Opcode Fuzzy Hash: c50b13252bd7944302893ce7ce1ab55a605429aa0504d470547830ec58f42b5f
Instruction Fuzzy Hash: A12137B5D003199FCB10CFAAC885BEEBBF5FF88310F108429E918A7240D7789940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F15AD0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F15B60

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 944f59dbf91d03a03a0145aedbc42b9a1a69dd4143d2ed8772f4702c7e5f4302
Instruction ID: 90cbed8ffda133e0b48a4fe97fe32e27be3088a353757e4823802db53e7ee46b
Opcode Fuzzy Hash: 944f59dbf91d03a03a0145aedbc42b9a1a69dd4143d2ed8772f4702c7e5f4302
Instruction Fuzzy Hash: 7B2127B5D003499FDB10CFA9C885BEEBBF5FF88310F14842AE919A7240C7789944DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD540 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAD5CF

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c8dcd8bdeca997f9e1d8e2251f61841df6260008909b5dee689da1d715b047d7
Instruction ID: 033191e0538fd0ac2a81db7b8420245b2eb9bb75878cd45a6533a90afc6515d2
Opcode Fuzzy Hash: c8dcd8bdeca997f9e1d8e2251f61841df6260008909b5dee689da1d715b047d7
Instruction Fuzzy Hash: DF21F2B5C00208DFDB10CFAAD984AEEBFF8EB48314F14841AE919A7210C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F15930 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F159B6

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 754aaf48d23af22ee7450b28c528546f1cc4aca280308e767781273eccc7471f
Instruction ID: b644fbadbd321f583e49174ab7547affa832f965a7aecc29fdae77eefcc30cf5
Opcode Fuzzy Hash: 754aaf48d23af22ee7450b28c528546f1cc4aca280308e767781273eccc7471f
Instruction Fuzzy Hash: 882157B1D003098FDB10DFAAC8857EEBFF5EF88324F54842AD459A7241DB789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F15BB9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F15C40

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2ed8a06d59c90b7a0539feca27d82f7c077fd939ed1e243c5ae7645fc98d4ab4
Instruction ID: 4c5ce0685ae9b30596417f1fefc6b90d5e196e25c5daf961b5f4960788ac960c
Opcode Fuzzy Hash: 2ed8a06d59c90b7a0539feca27d82f7c077fd939ed1e243c5ae7645fc98d4ab4
Instruction Fuzzy Hash: 7D212AB1D003499FDB10CFA9C885AEEFBF5FF88320F548829E959A7250DB349541DB64

Uniqueness

Uniqueness Score: -1.00%

Function 06F15BC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F15C40

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d358c553138849dda4040326c728617deda128f864723363cf7cdc3876aa2d5c
Instruction ID: f3f42f55b4279ccfe8fc8d268ae6eaf8cee5572d301f0dfd547de773787cd3b7
Opcode Fuzzy Hash: d358c553138849dda4040326c728617deda128f864723363cf7cdc3876aa2d5c
Instruction Fuzzy Hash: FF2139B1D003499FCB10CFAAC885AEEFBF5FF88320F10842AE519A7240C7349940DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F15938 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F159B6

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8cf167f8f51db96a5982b1df0fcb229665ae35f1bf0fcf7a0ab22f7f32064f16
Instruction ID: 904f1330716b8a1cc314476ef4bde741959eabb9093c309fb7b929e82dd64f28
Opcode Fuzzy Hash: 8cf167f8f51db96a5982b1df0fcb229665ae35f1bf0fcf7a0ab22f7f32064f16
Instruction Fuzzy Hash: C92149B1D003098FDB10DFAAC8857EEBBF4EF88320F54842AD459A7241CB789944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD548 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EAD5CF

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 77969b39b94471abd9e2f91c7bd40922a3513eae4c4d609e23d48f7e1f264455
Instruction ID: ece337ce8967c46be43bbc87a92f6627119d8b632c0dde3ca7bf72bb48642bd9
Opcode Fuzzy Hash: 77969b39b94471abd9e2f91c7bd40922a3513eae4c4d609e23d48f7e1f264455
Instruction Fuzzy Hash: 5F21E2B5D00248DFDB10CFAAD984ADEBBF8EB48320F14841AE918A7310D374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F15A08 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F15A7E

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f390b95a0a2b38943b7493346b3d33ac571f33a1dd3e83e0a77934678c16e191
Instruction ID: 22bbc66f286db8946256c1017cc10253620f7ba8d31f9d8b357493b1214ee4c5
Opcode Fuzzy Hash: f390b95a0a2b38943b7493346b3d33ac571f33a1dd3e83e0a77934678c16e191
Instruction Fuzzy Hash: 071159729002499FCB10CFAAC885ADEBFF5EF88324F148819E519A7250CB359541CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EAAD1C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EAB339,00000800,00000000,00000000), ref: 00EAB54A

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b65fab716b85da5bb36a252a918326df14f1ed9cd51b25d89050d1b7b07fe270
Instruction ID: 44635e0605baee562d66bd7ed628b90f1fdb1e62e0290faa05f5b8cc894fcb7f
Opcode Fuzzy Hash: b65fab716b85da5bb36a252a918326df14f1ed9cd51b25d89050d1b7b07fe270
Instruction Fuzzy Hash: A31114B6D003098FCB10CF9AD484ADEFBF5EB89310F14842AE919BB201C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB4D9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EAB339,00000800,00000000,00000000), ref: 00EAB54A

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26045bee28ff5d2001746726a8ad1b17e85a809dd1a88587bdb3935c550fde96
Instruction ID: 07587478fb43e2ab898c4253cb0261d59b1e9210ce8fe3a0b36f8aa00140679c
Opcode Fuzzy Hash: 26045bee28ff5d2001746726a8ad1b17e85a809dd1a88587bdb3935c550fde96
Instruction Fuzzy Hash: A61114B6D002098FCB20CF9AC484ADEFBF9EB89314F14841AE519BB201C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06F15A10 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F15A7E

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a00d70684224f1bd1a09f5b7004d0e14d322e7f69f1a54fd31e2a0d10d12dec5
Instruction ID: 9b3bd9758966ca400492f9ee195f3513c58574c79b3a6ec82cdad7b83a0fd82e
Opcode Fuzzy Hash: a00d70684224f1bd1a09f5b7004d0e14d322e7f69f1a54fd31e2a0d10d12dec5
Instruction Fuzzy Hash: 62113A719002499FCB10DFAAC885ADEBFF5EF88320F148419E519A7250CB759540DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F19570 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06F195D0

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: dd53f6bf90fe82a4af2f16a4fc8ba2d1b8bc547556fdc05115a9d4b8beeb1d83
Instruction ID: ca4b05a62db41c28a96ce3072745c79a51788cafdd40ec05c6fe27fc6e0c1553
Opcode Fuzzy Hash: dd53f6bf90fe82a4af2f16a4fc8ba2d1b8bc547556fdc05115a9d4b8beeb1d83
Instruction Fuzzy Hash: 931128B6C002498FCB20CF9AC985BDEBBF4EB48360F14841AD958A7240D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F15881 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F158EA

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1d0a966424920794db89a001a5adce927cef6b6525dd80a181940bb479113189
Instruction ID: b1aebbff610e1f75f0c8b99536b821efae38756c5893f7f6295e2de8ab9307d3
Opcode Fuzzy Hash: 1d0a966424920794db89a001a5adce927cef6b6525dd80a181940bb479113189
Instruction Fuzzy Hash: 30115BB1D002498FDB24DFA9C8857EEBBF4EF88324F148819D419A7240CB355544CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06F15888 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F158EA

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 33c14f6be0eae11941a5d0f23918cd6fc949a9b4baa275804d506536be445c3f
Instruction ID: 406f02d8e2603d6602f8dda5faa8635025a684aa89874c08be5e2eced83f448f
Opcode Fuzzy Hash: 33c14f6be0eae11941a5d0f23918cd6fc949a9b4baa275804d506536be445c3f
Instruction Fuzzy Hash: 12110DB1D003498FDB14DFAAC88579EFBF9EF88324F148419D519A7240CB756544CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00EAB258 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EAB2BE

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a861bc74e35c8dacb651d1582816ba5f52518890882ce2e29b69176596619444
Instruction ID: 34712164eb53fd9581dacc3a038b6500a5a7ed75bb306783b86e1e77dc017e6c
Opcode Fuzzy Hash: a861bc74e35c8dacb651d1582816ba5f52518890882ce2e29b69176596619444
Instruction Fuzzy Hash: 0D11CDB68006498FCB10CF9AC884ADEFBF4EB89324F14841AD429A7611C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F19578 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06F195D0

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9ad3a268d3eb4c93a740220643857f5952425bd5cf720992012a79422be12a18
Instruction ID: 0f19692573d246bfc8b11d84f94b4534a20374aec8bd153cf12f13df6ec15ff8
Opcode Fuzzy Hash: 9ad3a268d3eb4c93a740220643857f5952425bd5cf720992012a79422be12a18
Instruction Fuzzy Hash: 141103B6800349CFCB20DF9AC589BDEBBF4EB48360F14841AD959A7240D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F13A50 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F180FD

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 431954e7d2fd85663c762d5316005662205999fdf5c7bc42df492f082a59cc6c
Instruction ID: 94f4d5d350a9ce8c17578be7d5671fa38580a3ec0fc5dd39d5f7e024386aedae
Opcode Fuzzy Hash: 431954e7d2fd85663c762d5316005662205999fdf5c7bc42df492f082a59cc6c
Instruction Fuzzy Hash: FB1106B6804349DFDB60DF99C989BDEBBF8EB48350F108419E514A7201C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F18098 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F180FD

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f18e5fccf7229749571739544830d092abf9037e9aa8426837d37258e973efb1
Instruction ID: 94d2d0dcc34aec51bf3067c885c67db93df09e8be86429f4b8ba51a6c2c4e69e
Opcode Fuzzy Hash: f18e5fccf7229749571739544830d092abf9037e9aa8426837d37258e973efb1
Instruction Fuzzy Hash: 5511F5B58003499FDB20CF9AC989BDEBFF8EB48320F108459E555A7241C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034600490.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c03deaa43afcc2a2bdfa14ad412710a7d500db9346e03f3d392fd85fcc3e08b
Instruction ID: 489fa43a260a9320370bada8fa41eacd6f251a26f5e2d78d8788531e8706ffd9
Opcode Fuzzy Hash: 6c03deaa43afcc2a2bdfa14ad412710a7d500db9346e03f3d392fd85fcc3e08b
Instruction Fuzzy Hash: 8621F2B2504280EFDB15DF15D9C0B26BF65FB98328F24C96DE9090B256C336D856CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034600490.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b059a9ecaafb1fc32a5495f0f60675aed48878b54d1d6dcb73a6acb9ea69a84
Instruction ID: a23b78a75fd54d3d2b0a4a5051358a75e99ea884ea408e0b956106b645ce11b9
Opcode Fuzzy Hash: 7b059a9ecaafb1fc32a5495f0f60675aed48878b54d1d6dcb73a6acb9ea69a84
Instruction Fuzzy Hash: 12212875504284DFDB05DF14D9C0B16BF65FBA8324F24C569E9090F296C336E856C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034738211.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f0e5f1916b82eb5c94305637b4c66edd63e983a44b3b8dea4f205654aaaae
Instruction ID: 93a245a27cb3007670f1262dbb2d5eabdf8f23259c32213fdcd772681f8ac5b3
Opcode Fuzzy Hash: df2f0e5f1916b82eb5c94305637b4c66edd63e983a44b3b8dea4f205654aaaae
Instruction Fuzzy Hash: 5121F575504208DFDB16DF54D984B26BB66FB84314F24C96DEA0A4B246CB3AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034738211.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26119cbf436db2eee893455970b89d52145ff431572ea79851b4ec64676d429
Instruction ID: a1872ceaf5157ee0f9b9fda80eaf4bb42629d717401fd85991346ecaea1095a0
Opcode Fuzzy Hash: b26119cbf436db2eee893455970b89d52145ff431572ea79851b4ec64676d429
Instruction Fuzzy Hash: 66212971504208EFDB06DF94D9C0B36BB76FB84314F24C96DFA094B256C336D806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034738211.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9462182a731bee1676ba432cce8e88ffe8fb0a7c41b78674f1944e4528e702b6
Instruction ID: 4d1b1ffa55f5597acb749da24d12d2f3b7eade77fb142a003326727a87e61298
Opcode Fuzzy Hash: 9462182a731bee1676ba432cce8e88ffe8fb0a7c41b78674f1944e4528e702b6
Instruction Fuzzy Hash: 1D218E755093848FCB03CF24D994715BF72EB46314F28C5EAD9498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034600490.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 5b870389b974ce7f1879f03ac12a1021125e03544a019024d4b3800b8eb61895
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 0D11E676504280CFCB16CF14D9C4B16BF71FB94324F24C6ADD8490B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034600490.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: d2f4127275b4dc0befa31433aa2a52c7e80d469e0dbc576c83abd30446f29b84
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: F911E676504280DFDB16CF14D5C4B16BF71FBA4324F24C6A9D9090B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034738211.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 3b15e81e426faa6f0cdf68c5af83cdf9f001478042413541de6d9aa278c42f74
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 6911DD76504284DFCB02CF50C5C4B25FBB2FB84314F24C6AEE9494B296C33AD80ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06F19D6C Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fbe711b0aa8a9f7eedbc75d02ebf931873d127286ec28389d620df6bd2be8e
Instruction ID: b23e3ffc567d5ccc1c6b00168f9d73fe384b2fcb407f497518a47b33b821dddf
Opcode Fuzzy Hash: 49fbe711b0aa8a9f7eedbc75d02ebf931873d127286ec28389d620df6bd2be8e
Instruction Fuzzy Hash: 7AD1BE70B017008FDBA9DB75C860BAE77E6AF8A740F1484ADE156DF2A1CB35E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06F147F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064e7af59bbf4f40493d8a087585bd4c66dc291d265cdf187d06c12ca7a637ca
Instruction ID: 28a751b3b1b22f7b3478e6764610105181b9e8dd9b657cdcce968ee44ec4d84f
Opcode Fuzzy Hash: 064e7af59bbf4f40493d8a087585bd4c66dc291d265cdf187d06c12ca7a637ca
Instruction Fuzzy Hash: 5EE11974E042598FCB14DFA9C5909AEFBF2FF89304F248169E415AB359D731A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F12CB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d41de12aab179dff60279137554c514a2fce027ac6f9853cca0e717598ff85e
Instruction ID: 0f42138ef1ae8eef0a37f4123b733ddba7bc22d1b5bcad6e584edd173e6ee1b0
Opcode Fuzzy Hash: 9d41de12aab179dff60279137554c514a2fce027ac6f9853cca0e717598ff85e
Instruction Fuzzy Hash: 27E11774E001598FCB54DFA9C5809AEFBF2FF89304F248169E415AB355D731AA82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F14C28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee7faadb36e3313f484b7e4ca1230a000a6c90d58666b89c00299c45b0d0b6c
Instruction ID: c659d231f8741462564c9cae6f84e0a7fcb0a8f529cb5d2f8d3d124779e7bf80
Opcode Fuzzy Hash: 1ee7faadb36e3313f484b7e4ca1230a000a6c90d58666b89c00299c45b0d0b6c
Instruction Fuzzy Hash: 05E116B4E001598FCB54DFA9C5909AEFBF2FF89304F248169E415AB356D731A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F130E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07af7869c0b0b806feec33798ca44c72429460091c46dcdb1721ebe886721150
Instruction ID: ddb6c340d73ff969db2c89dc8eba974b3faedbf94ca26f443c9f3030e92ff9b3
Opcode Fuzzy Hash: 07af7869c0b0b806feec33798ca44c72429460091c46dcdb1721ebe886721150
Instruction Fuzzy Hash: 68E11975E041598FCB14DFA9C5809AEFBB2FF89300F248169E415AB356DB31A942CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06F15060 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65150218e18bef344b503ea1ddbbb66a8e0bba13a49f6c8ba53ac4d1fddb1c6a
Instruction ID: 59ea43278915824558692654361e50170c94fec79a2f693dba3a7a4835e35a61
Opcode Fuzzy Hash: 65150218e18bef344b503ea1ddbbb66a8e0bba13a49f6c8ba53ac4d1fddb1c6a
Instruction Fuzzy Hash: 84E117B4E002598FCB54DFA9C5909AEFBF2FF89304F248169E415AB359D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EADE0C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036305698.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ea0000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd362aa82584715b832e36d64385dfcf3ebb53f660d41657cb103c21e69ace4d
Instruction ID: 65c3fa0de5f6e6a0f830c79b518145d8171a193c038c7ea622db1b22c39c3440
Opcode Fuzzy Hash: cd362aa82584715b832e36d64385dfcf3ebb53f660d41657cb103c21e69ace4d
Instruction Fuzzy Hash: 3EA13932E002058FCF05DFA5C88459EB7B2BF8A304B15956AE806BF265DB71ED56CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06F130D9 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4555cdd2ac1acd75951e093b381f2cd520c618a5629fac1f0424cc05d0ee751c
Instruction ID: 763f40b80f172deb395a8f1ee21fc8d804cb2628890035a3810061c4bcf34962
Opcode Fuzzy Hash: 4555cdd2ac1acd75951e093b381f2cd520c618a5629fac1f0424cc05d0ee751c
Instruction Fuzzy Hash: 79511871E042598FDB54DFA9C5805AEFBF2FF89300F248169D418AB356DB31A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F14C1A Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e8601cbd8faf835b134ec7088ca17fb8c2bbbd19b1740e5645f260713de61a
Instruction ID: 019dedbe3603bf81d151e2c691b6ac8ad895811defb7f734a02cc7a246a430c2
Opcode Fuzzy Hash: 17e8601cbd8faf835b134ec7088ca17fb8c2bbbd19b1740e5645f260713de61a
Instruction Fuzzy Hash: 0D5128B4E042198FCB14DFA9C9809AEFBF2FF89304F248169D418AB355D7359942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F147E2 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039225305.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2838578adaa413882fc24743fc31330d10fb8e1a534c1fae1e07b6d7106ddc17
Instruction ID: a114c731e44d9eb054d7fb6611606c28eabee44e6cf1f83d6447de81e10b63d5
Opcode Fuzzy Hash: 2838578adaa413882fc24743fc31330d10fb8e1a534c1fae1e07b6d7106ddc17
Instruction Fuzzy Hash: CB511974E042598FCB54CFA9C5909AEFBF2FF89304F248169D418AB355D7319942CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Purchase Order.exePID: 5744, Parent PID: 6368COMMON

Executed Functions

Function 016221B4 Relevance: 5.5, Strings: 4, Instructions: 512COMMON

Download Yara Rule

Strings

Xiq, xrefs: 01622266
Xiq, xrefs: 0162236C
Xiq, xrefs: 016222A0
Xiq, xrefs: 0162231F

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xiq$Xiq$Xiq$Xiq
API String ID: 0-4026295062
Opcode ID: f5064a9c8586cb56f5d6915800edad8b1347f9d8c9925fc446b60c537d1e2503
Instruction ID: 7eb442f4037a2a1d362659dfd1d70f36ba7645111ac319c026b73730882e7798
Opcode Fuzzy Hash: f5064a9c8586cb56f5d6915800edad8b1347f9d8c9925fc446b60c537d1e2503
Instruction Fuzzy Hash: 9E127F3B448685AFC711CFB8D8D679577B4FF2B304B289ADDD0608B121DB3AA441CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016235CA Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Xiq, xrefs: 01623607
$eq, xrefs: 016235EE

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xiq$$eq
API String ID: 0-3760103188
Opcode ID: e54371b6ceed9a099557b4a0fc9a568a846e8a77bb22c325124d49fa5b3fbc87
Instruction ID: a86b77ac28ae15d155d9ed7a2661ae031a077594a2265b6d9efe22cc375a8a25
Opcode Fuzzy Hash: e54371b6ceed9a099557b4a0fc9a568a846e8a77bb22c325124d49fa5b3fbc87
Instruction Fuzzy Hash: 45919574F002289BDB18DB75995467EBBB3BFC8740B15856DE406EB388DF39D8028B91

Uniqueness

Uniqueness Score: -1.00%

Function 01623470 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Xiq, xrefs: 0162348D
Xiq, xrefs: 016234B6

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID: Xiq$Xiq
API String ID: 0-733771754
Opcode ID: b7a74d1e90ecc3487abfecdd547e7122b9f967ab3719c7e5c1d12ef2214cea25
Instruction ID: af22f198712755f3782a53a25dab53c00b5d4690f4a82866029b52558f375329
Opcode Fuzzy Hash: b7a74d1e90ecc3487abfecdd547e7122b9f967ab3719c7e5c1d12ef2214cea25
Instruction Fuzzy Hash: 3B312679B00A348BDB1A09698D9437F66A6FBC8310F14413DD90AD7384DB7CC8468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01620C8F Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

LReq, xrefs: 01620E80

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: 779c9106a9314db6e86b12172e943129497783e16406c0901ac4297a1cb08dc6
Instruction ID: 4b52f115312577bf691cc74e21eacd5d579ba435b9f226afc327efd83a501fed
Opcode Fuzzy Hash: 779c9106a9314db6e86b12172e943129497783e16406c0901ac4297a1cb08dc6
Instruction Fuzzy Hash: 9C22117890122ACFCB55EF65E894A9DBBB1FF88300F108BA9D509A7359DB706D85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01620CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

LReq, xrefs: 01620E80

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID: LReq
API String ID: 0-2687900687
Opcode ID: c125b791d81f11051325dd1f481c8d8615c646af88c1c1fc4d57a3c16b17730d
Instruction ID: 3040671bbf166bd3e45cfe122c92adce179495e2022ec91edfc85d590eaf7b25
Opcode Fuzzy Hash: c125b791d81f11051325dd1f481c8d8615c646af88c1c1fc4d57a3c16b17730d
Instruction Fuzzy Hash: 8922F17890122ACFCB55EF65E894A9DBBB1FF88300F108BA9D509A7359DB706D85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 016220B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9f543900ae8d174c6af793eac8c1f7305d20103439de1eff763c1615ce3296
Instruction ID: 608806e9df6fcdeffd64857c43cc59e11b99922fb56e867ababbffe09f8b9fa8
Opcode Fuzzy Hash: cb9f543900ae8d174c6af793eac8c1f7305d20103439de1eff763c1615ce3296
Instruction Fuzzy Hash: 4C21C439A006269FCB15DF24C850DAE77A5EFC9351B60C51DEA099B354DB30EA46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01621FB8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576a304a397dc4ad580b7ecece4d209c34c366f74c59d90b54c3cf15bce70bc0
Instruction ID: 9ec9e40543c2fe7e15bbb05c5498d8c39df1b46b703e57227171a774a7501828
Opcode Fuzzy Hash: 576a304a397dc4ad580b7ecece4d209c34c366f74c59d90b54c3cf15bce70bc0
Instruction Fuzzy Hash: A521E0B4C0560A8FCB41EFA8D9555EEBFF0FF59300F20466AD905B2210EB301A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01622068 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a296b8b3e0fe4f59219dae0ebc4a33892427831acea19f919e81d93ea22aa1d
Instruction ID: 7f8099d75be82c69e6415216b6c78fae649dda2584aaffd2b0fefb8b71deacb6
Opcode Fuzzy Hash: 0a296b8b3e0fe4f59219dae0ebc4a33892427831acea19f919e81d93ea22aa1d
Instruction Fuzzy Hash: 2BE0D876D2036A4BCB129BB498525FDBF34ADD2120B5A4663D050B7052E730164FC771

Uniqueness

Uniqueness Score: -1.00%

Function 01622078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2205728285.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1620000_Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03f3fa756d98859a89643e90076f62774f114eba71877c6d1589a719d0d730f
Instruction ID: 029bc0a622d6c8ecf8e7d7f29d452ea5785f4d4c389dded27e885aa293771617
Opcode Fuzzy Hash: a03f3fa756d98859a89643e90076f62774f114eba71877c6d1589a719d0d730f
Instruction Fuzzy Hash: AFD05E32D2032B97CB00EBA5EC048EFFB38EED6261B958626D52437154FB702659C6E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Purchase Order.e_9c9d8a936f78fc7233192adcce1af5ce3649f62_cf8f988c_d81421a5-7655-44c6-931c-fe982a34b843\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9980.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AA9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ACA.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Purchase Order.exe

Function 00EAD2F0 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Function 00EAD300 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06F15D4C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 06F15D58 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00EAB068 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 00EA590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00EA44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06F15AC8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 06F15AD0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 00EAD540 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON