Edit tour

Windows Analysis Report
Purchase Order No.1364.exe

Overview

General Information

Sample name:	Purchase Order No.1364.exe
Analysis ID:	1638114
MD5:	590a49e6af7de46b3d72e7d322b7ec5d
SHA1:	02df153059b46739488d83b5bb165f748a140dce
SHA256:	d2de2cdacd6417cc261b2c1f95026b47e14af21e097efd1d4ab15a5fab6d72c4
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order No.1364.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\Purchase Order No.1364.exe" MD5: 590A49E6AF7DE46B3D72E7D322B7EC5D)

Purchase Order No.1364.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\Purchase Order No.1364.exe" MD5: 590A49E6AF7DE46B3D72E7D322B7EC5D)

Purchase Order No.1364.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\Purchase Order No.1364.exe" MD5: 590A49E6AF7DE46B3D72E7D322B7EC5D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148ce:$a1: get_encryptedPassword 0x14bba:$a2: get_encryptedUsername 0x146da:$a3: get_timePasswordChanged 0x147d5:$a4: get_passwordField 0x148e4:$a5: set_encryptedPassword 0x15f8b:$a7: get_logins 0x15eee:$a10: KeyLoggerEventArgs 0x15b59:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a4:$x1: $%SMTPDV$ 0x18288:$x2: $#TheHashHere%& 0x1984c:$x3: %FTPDV$ 0x18228:$x4: $%TelegramDv$ 0x15b59:$x5: KeyLoggerEventArgs 0x15eee:$x5: KeyLoggerEventArgs 0x19870:$m2: Clipboard Logs ID 0x19aae:$m2: Screenshot Logs ID 0x19bbe:$m2: keystroke Logs ID 0x19e98:$m3: SnakePW 0x19a86:$m4: \SnakeKeylogger\
00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3320826906.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x283e0e:$a1: get_encryptedPassword 0x2a482e:$a1: get_encryptedPassword 0x2c504e:$a1: get_encryptedPassword 0x2840fa:$a2: get_encryptedUsername 0x2a4b1a:$a2: get_encryptedUsername 0x2c533a:$a2: get_encryptedUsername 0x283c1a:$a3: get_timePasswordChanged 0x2a463a:$a3: get_timePasswordChanged 0x2c4e5a:$a3: get_timePasswordChanged 0x283d15:$a4: get_passwordField 0x2a4735:$a4: get_passwordField 0x2c4f55:$a4: get_passwordField 0x283e24:$a5: set_encryptedPassword 0x2a4844:$a5: set_encryptedPassword 0x2c5064:$a5: set_encryptedPassword 0x2854cb:$a7: get_logins 0x2a5eeb:$a7: get_logins 0x2c670b:$a7: get_logins 0x28542e:$a10: KeyLoggerEventArgs 0x2a5e4e:$a10: KeyLoggerEventArgs 0x2c666e:$a10: KeyLoggerEventArgs
00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x288de4:$x1: $%SMTPDV$ 0x2a9804:$x1: $%SMTPDV$ 0x2ca024:$x1: $%SMTPDV$ 0x2877c8:$x2: $#TheHashHere%& 0x2a81e8:$x2: $#TheHashHere%& 0x2c8a08:$x2: $#TheHashHere%& 0x288d8c:$x3: %FTPDV$ 0x2a97ac:$x3: %FTPDV$ 0x2c9fcc:$x3: %FTPDV$ 0x287768:$x4: $%TelegramDv$ 0x2a8188:$x4: $%TelegramDv$ 0x2c89a8:$x4: $%TelegramDv$ 0x285099:$x5: KeyLoggerEventArgs 0x28542e:$x5: KeyLoggerEventArgs 0x2a5ab9:$x5: KeyLoggerEventArgs 0x2a5e4e:$x5: KeyLoggerEventArgs 0x2c62d9:$x5: KeyLoggerEventArgs 0x2c666e:$x5: KeyLoggerEventArgs 0x288db0:$m2: Clipboard Logs ID 0x288fee:$m2: Screenshot Logs ID 0x2890fe:$m2: keystroke Logs ID
Process Memory Space: Purchase Order No.1364.exe PID: 6352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order No.1364.exe PID: 6352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order No.1364.exe PID: 6352	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order No.1364.exe PID: 6352	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7b570:$a1: get_encryptedPassword 0x7b765:$a2: get_encryptedUsername 0x7b399:$a3: get_timePasswordChanged 0x7b488:$a4: get_passwordField 0x7b586:$a5: set_encryptedPassword 0x7d4e4:$a7: get_logins 0x7d45c:$a10: KeyLoggerEventArgs 0x7d1e7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order No.1364.exe PID: 6352	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7d1e7:$x5: KeyLoggerEventArgs 0x7d45c:$x5: KeyLoggerEventArgs 0x7dc81:$x5: KeyLoggerEventArgs 0x7dfe2:$x5: KeyLoggerEventArgs 0x7f556:$m2: Clipboard Logs ID 0x7f65c:$m2: Screenshot Logs ID 0x7f6b2:$m2: keystroke Logs ID 0x7f7e7:$m3: SnakePW 0x7f648:$m4: \SnakeKeylogger\
Process Memory Space: Purchase Order No.1364.exe PID: 6456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order No.1364.exe PID: 6456	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order No.1364.exe PID: 6456	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ee20:$a1: get_encryptedPassword 0x2f102:$a2: get_encryptedUsername 0x2ec36:$a3: get_timePasswordChanged 0x2ed31:$a4: get_passwordField 0x2ee36:$a5: set_encryptedPassword 0x31314:$a7: get_logins 0x31277:$a10: KeyLoggerEventArgs 0x30ee2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order No.1364.exe PID: 6456	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x30ee2:$x5: KeyLoggerEventArgs 0x31277:$x5: KeyLoggerEventArgs 0x31b7e:$x5: KeyLoggerEventArgs 0x31edf:$x5: KeyLoggerEventArgs 0x334a2:$m2: Clipboard Logs ID 0x335a8:$m2: Screenshot Logs ID 0x335fe:$m2: keystroke Logs ID 0x33733:$m3: SnakePW 0x33594:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order No.1364.exe.4908340.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order No.1364.exe.4908340.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order No.1364.exe.4908340.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cce:$a1: get_encryptedPassword 0x12fba:$a2: get_encryptedUsername 0x12ada:$a3: get_timePasswordChanged 0x12bd5:$a4: get_passwordField 0x12ce4:$a5: set_encryptedPassword 0x1438b:$a7: get_logins 0x142ee:$a10: KeyLoggerEventArgs 0x13f59:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order No.1364.exe.4908340.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1988c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cbf:$a4: \Orbitum\User Data\Default\Login Data 0x1acfe:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order No.1364.exe.4908340.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c7:$s1: UnHook 0x138ce:$s2: SetHook 0x138d6:$s3: CallNextHook 0x138e3:$s4: _hook
0.2.Purchase Order No.1364.exe.4908340.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca4:$x1: $%SMTPDV$ 0x16688:$x2: $#TheHashHere%& 0x17c4c:$x3: %FTPDV$ 0x16628:$x4: $%TelegramDv$ 0x13f59:$x5: KeyLoggerEventArgs 0x142ee:$x5: KeyLoggerEventArgs 0x17c70:$m2: Clipboard Logs ID 0x17eae:$m2: Screenshot Logs ID 0x17fbe:$m2: keystroke Logs ID 0x18298:$m3: SnakePW 0x17e86:$m4: \SnakeKeylogger\
2.2.Purchase Order No.1364.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Purchase Order No.1364.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.Purchase Order No.1364.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x148da:$a3: get_timePasswordChanged 0x149d5:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x1618b:$a7: get_logins 0x160ee:$a10: KeyLoggerEventArgs 0x15d59:$a11: KeyLoggerEventArgsEventHandler
2.2.Purchase Order No.1364.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b68c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1babf:$a4: \Orbitum\User Data\Default\Login Data 0x1cafe:$a5: \Kometa\User Data\Default\Login Data
2.2.Purchase Order No.1364.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x156ce:$s2: SetHook 0x156d6:$s3: CallNextHook 0x156e3:$s4: _hook
2.2.Purchase Order No.1364.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa4:$x1: $%SMTPDV$ 0x18488:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x18428:$x4: $%TelegramDv$ 0x15d59:$x5: KeyLoggerEventArgs 0x160ee:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19cae:$m2: Screenshot Logs ID 0x19dbe:$m2: keystroke Logs ID 0x1a098:$m3: SnakePW 0x19c86:$m4: \SnakeKeylogger\
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x354ee:$a1: get_encryptedPassword 0x55d0e:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x357da:$a2: get_encryptedUsername 0x55ffa:$a2: get_encryptedUsername 0x148da:$a3: get_timePasswordChanged 0x352fa:$a3: get_timePasswordChanged 0x55b1a:$a3: get_timePasswordChanged 0x149d5:$a4: get_passwordField 0x353f5:$a4: get_passwordField 0x55c15:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x35504:$a5: set_encryptedPassword 0x55d24:$a5: set_encryptedPassword 0x1618b:$a7: get_logins 0x36bab:$a7: get_logins 0x573cb:$a7: get_logins 0x160ee:$a10: KeyLoggerEventArgs 0x36b0e:$a10: KeyLoggerEventArgs 0x5732e:$a10: KeyLoggerEventArgs
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce7a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d69a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b68c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0ac:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8cc:$a3: \Google\Chrome\User Data\Default\Login Data 0x1babf:$a4: \Orbitum\User Data\Default\Login Data 0x3c4df:$a4: \Orbitum\User Data\Default\Login Data 0x5ccff:$a4: \Orbitum\User Data\Default\Login Data 0x1cafe:$a5: \Kometa\User Data\Default\Login Data 0x3d51e:$a5: \Kometa\User Data\Default\Login Data 0x5dd3e:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x360e7:$s1: UnHook 0x56907:$s1: UnHook 0x156ce:$s2: SetHook 0x360ee:$s2: SetHook 0x5690e:$s2: SetHook 0x156d6:$s3: CallNextHook 0x360f6:$s3: CallNextHook 0x56916:$s3: CallNextHook 0x156e3:$s4: _hook 0x36103:$s4: _hook 0x56923:$s4: _hook
0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa4:$x1: $%SMTPDV$ 0x3a4c4:$x1: $%SMTPDV$ 0x5ace4:$x1: $%SMTPDV$ 0x18488:$x2: $#TheHashHere%& 0x38ea8:$x2: $#TheHashHere%& 0x596c8:$x2: $#TheHashHere%& 0x19a4c:$x3: %FTPDV$ 0x3a46c:$x3: %FTPDV$ 0x5ac8c:$x3: %FTPDV$ 0x18428:$x4: $%TelegramDv$ 0x38e48:$x4: $%TelegramDv$ 0x59668:$x4: $%TelegramDv$ 0x15d59:$x5: KeyLoggerEventArgs 0x160ee:$x5: KeyLoggerEventArgs 0x36779:$x5: KeyLoggerEventArgs 0x36b0e:$x5: KeyLoggerEventArgs 0x56f99:$x5: KeyLoggerEventArgs 0x5732e:$x5: KeyLoggerEventArgs 0x19a70:$m2: Clipboard Logs ID 0x19cae:$m2: Screenshot Logs ID 0x19dbe:$m2: keystroke Logs ID
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x798ee:$a1: get_encryptedPassword 0x9a30e:$a1: get_encryptedPassword 0xbab2e:$a1: get_encryptedPassword 0x79bda:$a2: get_encryptedUsername 0x9a5fa:$a2: get_encryptedUsername 0xbae1a:$a2: get_encryptedUsername 0x796fa:$a3: get_timePasswordChanged 0x9a11a:$a3: get_timePasswordChanged 0xba93a:$a3: get_timePasswordChanged 0x797f5:$a4: get_passwordField 0x9a215:$a4: get_passwordField 0xbaa35:$a4: get_passwordField 0x79904:$a5: set_encryptedPassword 0x9a324:$a5: set_encryptedPassword 0xbab44:$a5: set_encryptedPassword 0x7afab:$a7: get_logins 0x9b9cb:$a7: get_logins 0xbc1eb:$a7: get_logins 0x7af0e:$a10: KeyLoggerEventArgs 0x9b92e:$a10: KeyLoggerEventArgs 0xbc14e:$a10: KeyLoggerEventArgs
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x8127a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa1c9a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc24ba:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x804ac:$a3: \Google\Chrome\User Data\Default\Login Data 0xa0ecc:$a3: \Google\Chrome\User Data\Default\Login Data 0xc16ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x808df:$a4: \Orbitum\User Data\Default\Login Data 0xa12ff:$a4: \Orbitum\User Data\Default\Login Data 0xc1b1f:$a4: \Orbitum\User Data\Default\Login Data 0x8191e:$a5: \Kometa\User Data\Default\Login Data 0xa233e:$a5: \Kometa\User Data\Default\Login Data 0xc2b5e:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7a4e7:$s1: UnHook 0x9af07:$s1: UnHook 0xbb727:$s1: UnHook 0x7a4ee:$s2: SetHook 0x9af0e:$s2: SetHook 0xbb72e:$s2: SetHook 0x7a4f6:$s3: CallNextHook 0x9af16:$s3: CallNextHook 0xbb736:$s3: CallNextHook 0x7a503:$s4: _hook 0x9af23:$s4: _hook 0xbb743:$s4: _hook
0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7e8c4:$x1: $%SMTPDV$ 0x9f2e4:$x1: $%SMTPDV$ 0xbfb04:$x1: $%SMTPDV$ 0x7d2a8:$x2: $#TheHashHere%& 0x9dcc8:$x2: $#TheHashHere%& 0xbe4e8:$x2: $#TheHashHere%& 0x7e86c:$x3: %FTPDV$ 0x9f28c:$x3: %FTPDV$ 0xbfaac:$x3: %FTPDV$ 0x7d248:$x4: $%TelegramDv$ 0x9dc68:$x4: $%TelegramDv$ 0xbe488:$x4: $%TelegramDv$ 0x7ab79:$x5: KeyLoggerEventArgs 0x7af0e:$x5: KeyLoggerEventArgs 0x9b599:$x5: KeyLoggerEventArgs 0x9b92e:$x5: KeyLoggerEventArgs 0xbbdb9:$x5: KeyLoggerEventArgs 0xbc14e:$x5: KeyLoggerEventArgs 0x7e890:$m2: Clipboard Logs ID 0x7eace:$m2: Screenshot Logs ID 0x7ebde:$m2: keystroke Logs ID
0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde70e:$a1: get_encryptedPassword 0xff12e:$a1: get_encryptedPassword 0x11f94e:$a1: get_encryptedPassword 0xde9fa:$a2: get_encryptedUsername 0xff41a:$a2: get_encryptedUsername 0x11fc3a:$a2: get_encryptedUsername 0xde51a:$a3: get_timePasswordChanged 0xfef3a:$a3: get_timePasswordChanged 0x11f75a:$a3: get_timePasswordChanged 0xde615:$a4: get_passwordField 0xff035:$a4: get_passwordField 0x11f855:$a4: get_passwordField 0xde724:$a5: set_encryptedPassword 0xff144:$a5: set_encryptedPassword 0x11f964:$a5: set_encryptedPassword 0xdfdcb:$a7: get_logins 0x1007eb:$a7: get_logins 0x12100b:$a7: get_logins 0xdfd2e:$a10: KeyLoggerEventArgs 0x10074e:$a10: KeyLoggerEventArgs 0x120f6e:$a10: KeyLoggerEventArgs
0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xdf307:$s1: UnHook 0xffd27:$s1: UnHook 0x120547:$s1: UnHook 0xdf30e:$s2: SetHook 0xffd2e:$s2: SetHook 0x12054e:$s2: SetHook 0xdf316:$s3: CallNextHook 0xffd36:$s3: CallNextHook 0x120556:$s3: CallNextHook 0xdf323:$s4: _hook 0xffd43:$s4: _hook 0x120563:$s4: _hook
0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe36e4:$x1: $%SMTPDV$ 0x104104:$x1: $%SMTPDV$ 0x124924:$x1: $%SMTPDV$ 0xe20c8:$x2: $#TheHashHere%& 0x102ae8:$x2: $#TheHashHere%& 0x123308:$x2: $#TheHashHere%& 0xe368c:$x3: %FTPDV$ 0x1040ac:$x3: %FTPDV$ 0x1248cc:$x3: %FTPDV$ 0xe2068:$x4: $%TelegramDv$ 0x102a88:$x4: $%TelegramDv$ 0x1232a8:$x4: $%TelegramDv$ 0xdf999:$x5: KeyLoggerEventArgs 0xdfd2e:$x5: KeyLoggerEventArgs 0x1003b9:$x5: KeyLoggerEventArgs 0x10074e:$x5: KeyLoggerEventArgs 0x120bd9:$x5: KeyLoggerEventArgs 0x120f6e:$x5: KeyLoggerEventArgs 0xe36b0:$m2: Clipboard Logs ID 0xe38ee:$m2: Screenshot Logs ID 0xe39fe:$m2: keystroke Logs ID
Click to see the 24 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T08:21:13.734002+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-14T08:21:16.380137+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-14T08:21:16.599032+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-14T08:21:16.832939+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-14T08:21:19.671493+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49690	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Purchase Order No.1364.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk/sendMessage?chat_id=7854955274", "Token": "7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk", "Chat_id": "7854955274", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Purchase Order No.1364.exe	Virustotal: Detection: 49%			Perma Link
Source: Purchase Order No.1364.exe	ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor:
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7854955274
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor:
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7854955274
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor:
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7922655426:AAFVRqVw9pB4VZ3uipJRDfn5kD08nswJtAk
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack	String decryptor: 7854955274

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Purchase Order No.1364.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Purchase Order No.1364.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 012FFE21h	2_2_012FFB60
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 012FF12Dh	2_2_012FEF42
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 012FFAB7h	2_2_012FEF42
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_012FE460
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_012FEA93
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_012FEC73
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 068084E5h	2_2_068081A8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06806169h	2_2_06805EC0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 068058B9h	2_2_06805610
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06802F48
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_06802F58
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06806A19h	2_2_06806770
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06800741h	2_2_06800498
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06807749h	2_2_068074A0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06804FE1h	2_2_06804D38
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06807FF9h	2_2_06807D50
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06805D11h	2_2_06805A68
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	2_2_0680326E
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06806E9Ah	2_2_06806BF0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 068065C1h	2_2_06806318
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06800B99h	2_2_068008F0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06807BA1h	2_2_068078F8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 068002E9h	2_2_06800040
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 068072F1h	2_2_06807048
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 4x nop then jmp 06805461h	2_2_068051B8

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49690 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order No.1364.exe, 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order No.1364.exe, 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order No.1364.exe

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011026B0	0_2_011026B0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01100872	0_2_01100872
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01101438	0_2_01101438
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01101C99	0_2_01101C99
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011020F9	0_2_011020F9
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011013AB	0_2_011013AB
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011052E8	0_2_011052E8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01103490	0_2_01103490
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011056D8	0_2_011056D8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_011056E8	0_2_011056E8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01105858	0_2_01105858
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01105849	0_2_01105849
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01105AB8	0_2_01105AB8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_01105AA8	0_2_01105AA8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E58714	0_2_02E58714
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E59BF1	0_2_02E59BF1
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E57C48	0_2_02E57C48
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E57C58	0_2_02E57C58
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E55D0C	0_2_02E55D0C
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_096E39B8	0_2_096E39B8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_096E45A0	0_2_096E45A0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_096E04C8	0_2_096E04C8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012F6108	2_2_012F6108
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FC006	2_2_012FC006
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FC2E0	2_2_012FC2E0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FC5C0	2_2_012FC5C0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012F9858	2_2_012F9858
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FC8A0	2_2_012FC8A0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012F6880	2_2_012F6880
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FFB60	2_2_012FFB60
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FCB82	2_2_012FCB82
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FBA40	2_2_012FBA40
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012F4AD9	2_2_012F4AD9
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FBD26	2_2_012FBD26
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FEF42	2_2_012FEF42
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012F3572	2_2_012F3572
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FE460	2_2_012FE460
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_012FE451	2_2_012FE451
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06809FA8	2_2_06809FA8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068087F1	2_2_068087F1
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680BF28	2_2_0680BF28
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680AC40	2_2_0680AC40
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680A5F8	2_2_0680A5F8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06800D48	2_2_06800D48
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680C578	2_2_0680C578
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680B288	2_2_0680B288
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680D210	2_2_0680D210
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680CBC8	2_2_0680CBC8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680B8D8	2_2_0680B8D8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068081A8	2_2_068081A8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805EB0	2_2_06805EB0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805EC0	2_2_06805EC0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805600	2_2_06805600
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805610	2_2_06805610
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06809F98	2_2_06809F98
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06803FD0	2_2_06803FD0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680BF18	2_2_0680BF18
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06802F48	2_2_06802F48
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06802F58	2_2_06802F58
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06806761	2_2_06806761
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06806770	2_2_06806770
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06800488	2_2_06800488
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06807490	2_2_06807490
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06800498	2_2_06800498
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068074A0	2_2_068074A0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680AC30	2_2_0680AC30
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680A5E8	2_2_0680A5E8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06804D2B	2_2_06804D2B
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06804D38	2_2_06804D38
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06807D40	2_2_06807D40
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06807D50	2_2_06807D50
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680C568	2_2_0680C568
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068032C0	2_2_068032C0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068032D0	2_2_068032D0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680D200	2_2_0680D200
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805A58	2_2_06805A58
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06805A68	2_2_06805A68
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680B277	2_2_0680B277
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068023A7	2_2_068023A7
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068023B8	2_2_068023B8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680CBB8	2_2_0680CBB8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06806BEB	2_2_06806BEB
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06806BF0	2_2_06806BF0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680630B	2_2_0680630B
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06806318	2_2_06806318
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680B8C9	2_2_0680B8C9
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_0680B8CF	2_2_0680B8CF
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068008E1	2_2_068008E1
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068078E8	2_2_068078E8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068008F0	2_2_068008F0
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068078F8	2_2_068078F8
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06800007	2_2_06800007
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06807037	2_2_06807037
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06800040	2_2_06800040
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06807048	2_2_06807048
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_06808198	2_2_06808198
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068051A9	2_2_068051A9
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 2_2_068051B8	2_2_068051B8

Source: Purchase Order No.1364.exe, 00000000.00000002.854150348.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.854150348.0000000003289000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.859055213.0000000009660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.859428539.000000000AB7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.854150348.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.854150348.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000000.842578580.0000000000A5A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekZdV.exe8 vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.858764582.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.854150348.00000000030AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000000.00000002.853390137.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe, 00000002.00000002.3318759775.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order No.1364.exe
Source: Purchase Order No.1364.exe	Binary or memory string: OriginalFilenamekZdV.exe8 vs Purchase Order No.1364.exe

Source: Purchase Order No.1364.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Purchase Order No.1364.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, z2.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, ---.cs

Base64 encoded string: 'JzeJw/b9xm+6S2XbSxm04VLxDXW0s8jprFo3QVj1S6zHgpFf8L4EKsa9LKLu5QP6'

Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, Kyed7DoqqvNolcj07i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, kSbR3MbnvLHU7pf16o.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/2

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order No.1364.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Mutant created: NULL

Source: Purchase Order No.1364.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order No.1364.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order No.1364.exe, 00000002.00000002.3321982479.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Purchase Order No.1364.exe, 00000002.00000002.3320826906.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order No.1364.exe	Virustotal: Detection: 49%
Source: Purchase Order No.1364.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order No.1364.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order No.1364.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, kSbR3MbnvLHU7pf16o.cs	.Net Code: asx9Y78YfE System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, kSbR3MbnvLHU7pf16o.cs	.Net Code: asx9Y78YfE System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, kSbR3MbnvLHU7pf16o.cs	.Net Code: asx9Y78YfE System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E5E812 push dword ptr [ebx]; retn 4589h		0_2_02E5E823
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Code function: 0_2_02E50B98 pushad ; iretd		0_2_02E50B99

Source: Purchase Order No.1364.exe

Static PE information: section name: .text entropy: 7.748402459366208

Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, kSbR3MbnvLHU7pf16o.cs	High entropy of concatenated method names: 'YIc1EItqGg', 'MAo1FayDW9', 'EUR1iPi2Wy', 'g491VGAQkL', 'cFi1TGJJql', 'b9R1A2vqw7', 'v1R1Rlvc4J', 'TUK1bxYu1D', 'W561HGCCv2', 'KZN1xXjD9t'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, IhUEsmuNkAFV6vR6VR.cs	High entropy of concatenated method names: 'qixro8hNjA', 'Iprr5P6Wm8', 'rDRrWkEBZh', 'orFr2Tyyu0', 'dqprBLwcr2', 'Bg6r0H9xyg', 'kopr6QkTyJ', 'sFRrINXLqJ', 'ParrnUR0wU', 'PHUrQgZjfS'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, NInpWRfg5M8vTsUypBC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bGy4QQ0IvT', 'Qef4pLbW6b', 'MTk4ujRy5E', 'S554trNJFb', 'fTY4UrOZv1', 'TxD4LPYaqX', 'gsC43f49uG'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, xCbD6bygqhgNo5k5xR.cs	High entropy of concatenated method names: 'b5aYiIjfh', 'pH3Zkx1ak', 'K1nv53rEo', 'cUdsYVWVl', 'qpU5JRdvC', 'Gj175mj8P', 'XR2BHcuGlRZQjHWX89', 'yAxyLyNCgZ9sVSF1mP', 'GMygtB37m1bqX52G1m', 'Nr7DHABfc'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, hPWrTo3ULRNFvf9MFt.cs	High entropy of concatenated method names: 'vfNmxOvEFP', 'hQYmdJuicb', 'ToString', 'mOumFIr0Co', 'CgwmiJdkta', 'FY5mVfP8if', 'DIGmTKOiLq', 'HynmAr4ZHq', 'Ev9mR0n6LS', 'aIhmbTb1XN'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, k3vSlof98ZLU2JNif8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C4ZSK1joGe', 'm3sS4KHZNn', 'BZKScoOAXS', 'X5PSSh3GiT', 'GpUS8F9E2O', 'rI0SeMFcZb', 'kOrSlaWqXs'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, TkKxTK6AQwDkwwAmTY.cs	High entropy of concatenated method names: 'yC3RFEoG98', 'XwiRVCmo9r', 'JuyRAiXCCE', 'xCZAOrRbl2', 'Oq3AzcuYQX', 'ooTRg8nEg7', 'X1TRf9FlME', 'rv0Ry8SYNc', 'vbwR1uhgQA', 'AnKR9neLGT'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, HMFUYfOrH1G83SjoRN.cs	High entropy of concatenated method names: 'TcM4VECtDC', 'RHh4Tlk6P2', 'wgw4Ao5j30', 'hPf4Rvosrx', 'e2d4KNYyZv', 'WVF4b9FJ5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, Kyed7DoqqvNolcj07i.cs	High entropy of concatenated method names: 'CUxit8rpgi', 'huNiUqAeSL', 'asBiLtiyGd', 'vcGi35QFSS', 'nJxiJ27OiJ', 'HfJiGTwMie', 'yuUihnhtM5', 'AKSiaoV6IV', 'NyyiPJFhsk', 'nh2iORbcQZ'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, jEjEDHttksL23FmDP3.cs	High entropy of concatenated method names: 'EaEqnrJn6j', 'BrVqp1g5Od', 'aa4qtbVybo', 'wThqU3L0KH', 'RV4q2YEYT1', 'XQuqMDgU0D', 'UCFqBhQbxU', 'VWqq0sBsMe', 'vAyqXDPtNr', 'GUyq68kaCw'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, xSmolt9AJ1W0N2Cn75.cs	High entropy of concatenated method names: 'q16fRyed7D', 'oqvfbNolcj', 'NX2fxPSI0g', 'yMFfdkLKG5', 'IAlfqRwDep', 'TX8fkT01v2', 'JqKSVwJOFxAWqHnYTe', 'ESMeqj7gdLW3ZaU0fm', 'iYuffDPNXM', 'hj7f1IgvFv'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, E3fkXdffvN1acllX84W.cs	High entropy of concatenated method names: 'TPO4OYUkRa', 'OsM4zErasL', 'Hy3cg3wyRl', 'Retcfa1ZRF', 'qsFcyhltJY', 'D4ic1FEDGq', 'J6Pc94qwGH', 'EaYcEQLspU', 'lqFcFYDGjS', 'EWMci14r1V'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, rpmcEwCxWbVX4JIWiX.cs	High entropy of concatenated method names: 'cwRRNHy7hJ', 'o0iRjvIYER', 'uCZRYW0CuT', 'pH2RZcwI9p', 'mDIRwP6mD8', 'TjjRviDWj9', 'LlZRsnGG6e', 'Q2MRoJARvX', 'RjRR5Om8Pp', 'R8uR71YxYe'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, W4tI5Tz0HXTMYRA1Q9.cs	High entropy of concatenated method names: 'Qvy4vYgA9G', 'CxA4oyNRVQ', 'D0l45vkGtk', 'ubm4Wklqqq', 'FB942Xdb2O', 'rZU4B5QGo5', 'V0U40oVDYw', 'jth4lRntkc', 'raP4Na5Pgx', 'Jvw4jRyhVO'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, repLX8WT01v2xdtGLH.cs	High entropy of concatenated method names: 'UeGAEcOvZ1', 'iUSAiyVFLO', 'Mg6ATEjl6d', 'm1IARkYI4b', 'K9nAb5Zvr7', 'KQKTJ3lUm2', 'GY5TG9eYUU', 'wNKThWjI7o', 'xxXTacB0wQ', 'v3rTPHVUUQ'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, bvZV2YPEGgRO425Eqc.cs	High entropy of concatenated method names: 'fM2KWo95OD', 'VvmK2JwdpP', 'KlDKM4iIb6', 'PgLKBwbPqJ', 'sUjK0I5Evr', 'yUHKXLGZwN', 'ar3K67mNOU', 'lmbKI5jY5O', 'Et8KCbYEx6', 'DVoKnaGaEk'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, YsCc9n5X2PSI0gjMFk.cs	High entropy of concatenated method names: 'xtaVZ4wIso', 'A9xVvSuSVw', 'uXUVoYJ6gT', 'zN3V52solO', 'pVTVqW6Ugk', 'TkAVkBqi1E', 'owgVm87LL7', 'bJlVDu8ej0', 'z1XVKw5dkX', 'AUSV4fHjl4'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, O14kL9G5MC2SIaUteQ.cs	High entropy of concatenated method names: 'BmymaMkvpx', 'qvVmOoU9Q4', 'IEMDguSFnK', 'HL7DfbkeDq', 'ScKmQWuCq1', 'mXHmpb2o1I', 'u1WmuZXOq1', 'hYemtj6vTb', 'aZumUGuSRK', 'f1jmLdbioS'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, TKG54h7NedSSJBAlRw.cs	High entropy of concatenated method names: 'sttTwr3ZTu', 'ObgTsoLkia', 'wakVMWUo60', 'dqHVB7rx3l', 'eoKV0ZLMUM', 'I6qVXCHaRH', 'HvZV6ZwQ4h', 'IcLVInSwDn', 'mMTVCtmoM5', 'pfCVnNAVAC'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, DuqytXibbovTAlIZCY.cs	High entropy of concatenated method names: 'Dispose', 'k7tfPQug5T', 'HBky2ZJJiC', 'qFMxCWBeQH', 'N66fOQmeT1', 'uDHfz8Ero8', 'ProcessDialogKey', 'uIfygvZV2Y', 'eGgyfRO425', 'eqcyy2MFUY'
Source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, YaLiMlhCkb7tQug5TC.cs	High entropy of concatenated method names: 'NpXKqslXoC', 'rNhKmtTtg7', 'uqUKKRg6hH', 'FxIKcT0FVU', 'IH7K8WVRRe', 'gZIKlDwTwW', 'Dispose', 'SJjDFF3AhI', 'hdcDiw7Vr4', 'iFiDVGeJ2W'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, kSbR3MbnvLHU7pf16o.cs	High entropy of concatenated method names: 'YIc1EItqGg', 'MAo1FayDW9', 'EUR1iPi2Wy', 'g491VGAQkL', 'cFi1TGJJql', 'b9R1A2vqw7', 'v1R1Rlvc4J', 'TUK1bxYu1D', 'W561HGCCv2', 'KZN1xXjD9t'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, IhUEsmuNkAFV6vR6VR.cs	High entropy of concatenated method names: 'qixro8hNjA', 'Iprr5P6Wm8', 'rDRrWkEBZh', 'orFr2Tyyu0', 'dqprBLwcr2', 'Bg6r0H9xyg', 'kopr6QkTyJ', 'sFRrINXLqJ', 'ParrnUR0wU', 'PHUrQgZjfS'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, NInpWRfg5M8vTsUypBC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bGy4QQ0IvT', 'Qef4pLbW6b', 'MTk4ujRy5E', 'S554trNJFb', 'fTY4UrOZv1', 'TxD4LPYaqX', 'gsC43f49uG'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, xCbD6bygqhgNo5k5xR.cs	High entropy of concatenated method names: 'b5aYiIjfh', 'pH3Zkx1ak', 'K1nv53rEo', 'cUdsYVWVl', 'qpU5JRdvC', 'Gj175mj8P', 'XR2BHcuGlRZQjHWX89', 'yAxyLyNCgZ9sVSF1mP', 'GMygtB37m1bqX52G1m', 'Nr7DHABfc'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, hPWrTo3ULRNFvf9MFt.cs	High entropy of concatenated method names: 'vfNmxOvEFP', 'hQYmdJuicb', 'ToString', 'mOumFIr0Co', 'CgwmiJdkta', 'FY5mVfP8if', 'DIGmTKOiLq', 'HynmAr4ZHq', 'Ev9mR0n6LS', 'aIhmbTb1XN'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, k3vSlof98ZLU2JNif8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C4ZSK1joGe', 'm3sS4KHZNn', 'BZKScoOAXS', 'X5PSSh3GiT', 'GpUS8F9E2O', 'rI0SeMFcZb', 'kOrSlaWqXs'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, TkKxTK6AQwDkwwAmTY.cs	High entropy of concatenated method names: 'yC3RFEoG98', 'XwiRVCmo9r', 'JuyRAiXCCE', 'xCZAOrRbl2', 'Oq3AzcuYQX', 'ooTRg8nEg7', 'X1TRf9FlME', 'rv0Ry8SYNc', 'vbwR1uhgQA', 'AnKR9neLGT'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, HMFUYfOrH1G83SjoRN.cs	High entropy of concatenated method names: 'TcM4VECtDC', 'RHh4Tlk6P2', 'wgw4Ao5j30', 'hPf4Rvosrx', 'e2d4KNYyZv', 'WVF4b9FJ5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, Kyed7DoqqvNolcj07i.cs	High entropy of concatenated method names: 'CUxit8rpgi', 'huNiUqAeSL', 'asBiLtiyGd', 'vcGi35QFSS', 'nJxiJ27OiJ', 'HfJiGTwMie', 'yuUihnhtM5', 'AKSiaoV6IV', 'NyyiPJFhsk', 'nh2iORbcQZ'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, jEjEDHttksL23FmDP3.cs	High entropy of concatenated method names: 'EaEqnrJn6j', 'BrVqp1g5Od', 'aa4qtbVybo', 'wThqU3L0KH', 'RV4q2YEYT1', 'XQuqMDgU0D', 'UCFqBhQbxU', 'VWqq0sBsMe', 'vAyqXDPtNr', 'GUyq68kaCw'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, xSmolt9AJ1W0N2Cn75.cs	High entropy of concatenated method names: 'q16fRyed7D', 'oqvfbNolcj', 'NX2fxPSI0g', 'yMFfdkLKG5', 'IAlfqRwDep', 'TX8fkT01v2', 'JqKSVwJOFxAWqHnYTe', 'ESMeqj7gdLW3ZaU0fm', 'iYuffDPNXM', 'hj7f1IgvFv'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, E3fkXdffvN1acllX84W.cs	High entropy of concatenated method names: 'TPO4OYUkRa', 'OsM4zErasL', 'Hy3cg3wyRl', 'Retcfa1ZRF', 'qsFcyhltJY', 'D4ic1FEDGq', 'J6Pc94qwGH', 'EaYcEQLspU', 'lqFcFYDGjS', 'EWMci14r1V'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, rpmcEwCxWbVX4JIWiX.cs	High entropy of concatenated method names: 'cwRRNHy7hJ', 'o0iRjvIYER', 'uCZRYW0CuT', 'pH2RZcwI9p', 'mDIRwP6mD8', 'TjjRviDWj9', 'LlZRsnGG6e', 'Q2MRoJARvX', 'RjRR5Om8Pp', 'R8uR71YxYe'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, W4tI5Tz0HXTMYRA1Q9.cs	High entropy of concatenated method names: 'Qvy4vYgA9G', 'CxA4oyNRVQ', 'D0l45vkGtk', 'ubm4Wklqqq', 'FB942Xdb2O', 'rZU4B5QGo5', 'V0U40oVDYw', 'jth4lRntkc', 'raP4Na5Pgx', 'Jvw4jRyhVO'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, repLX8WT01v2xdtGLH.cs	High entropy of concatenated method names: 'UeGAEcOvZ1', 'iUSAiyVFLO', 'Mg6ATEjl6d', 'm1IARkYI4b', 'K9nAb5Zvr7', 'KQKTJ3lUm2', 'GY5TG9eYUU', 'wNKThWjI7o', 'xxXTacB0wQ', 'v3rTPHVUUQ'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, bvZV2YPEGgRO425Eqc.cs	High entropy of concatenated method names: 'fM2KWo95OD', 'VvmK2JwdpP', 'KlDKM4iIb6', 'PgLKBwbPqJ', 'sUjK0I5Evr', 'yUHKXLGZwN', 'ar3K67mNOU', 'lmbKI5jY5O', 'Et8KCbYEx6', 'DVoKnaGaEk'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, YsCc9n5X2PSI0gjMFk.cs	High entropy of concatenated method names: 'xtaVZ4wIso', 'A9xVvSuSVw', 'uXUVoYJ6gT', 'zN3V52solO', 'pVTVqW6Ugk', 'TkAVkBqi1E', 'owgVm87LL7', 'bJlVDu8ej0', 'z1XVKw5dkX', 'AUSV4fHjl4'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, O14kL9G5MC2SIaUteQ.cs	High entropy of concatenated method names: 'BmymaMkvpx', 'qvVmOoU9Q4', 'IEMDguSFnK', 'HL7DfbkeDq', 'ScKmQWuCq1', 'mXHmpb2o1I', 'u1WmuZXOq1', 'hYemtj6vTb', 'aZumUGuSRK', 'f1jmLdbioS'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, TKG54h7NedSSJBAlRw.cs	High entropy of concatenated method names: 'sttTwr3ZTu', 'ObgTsoLkia', 'wakVMWUo60', 'dqHVB7rx3l', 'eoKV0ZLMUM', 'I6qVXCHaRH', 'HvZV6ZwQ4h', 'IcLVInSwDn', 'mMTVCtmoM5', 'pfCVnNAVAC'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, DuqytXibbovTAlIZCY.cs	High entropy of concatenated method names: 'Dispose', 'k7tfPQug5T', 'HBky2ZJJiC', 'qFMxCWBeQH', 'N66fOQmeT1', 'uDHfz8Ero8', 'ProcessDialogKey', 'uIfygvZV2Y', 'eGgyfRO425', 'eqcyy2MFUY'
Source: 0.2.Purchase Order No.1364.exe.9660000.9.raw.unpack, YaLiMlhCkb7tQug5TC.cs	High entropy of concatenated method names: 'NpXKqslXoC', 'rNhKmtTtg7', 'uqUKKRg6hH', 'FxIKcT0FVU', 'IH7K8WVRRe', 'gZIKlDwTwW', 'Dispose', 'SJjDFF3AhI', 'hdcDiw7Vr4', 'iFiDVGeJ2W'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, kSbR3MbnvLHU7pf16o.cs	High entropy of concatenated method names: 'YIc1EItqGg', 'MAo1FayDW9', 'EUR1iPi2Wy', 'g491VGAQkL', 'cFi1TGJJql', 'b9R1A2vqw7', 'v1R1Rlvc4J', 'TUK1bxYu1D', 'W561HGCCv2', 'KZN1xXjD9t'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, IhUEsmuNkAFV6vR6VR.cs	High entropy of concatenated method names: 'qixro8hNjA', 'Iprr5P6Wm8', 'rDRrWkEBZh', 'orFr2Tyyu0', 'dqprBLwcr2', 'Bg6r0H9xyg', 'kopr6QkTyJ', 'sFRrINXLqJ', 'ParrnUR0wU', 'PHUrQgZjfS'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, NInpWRfg5M8vTsUypBC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bGy4QQ0IvT', 'Qef4pLbW6b', 'MTk4ujRy5E', 'S554trNJFb', 'fTY4UrOZv1', 'TxD4LPYaqX', 'gsC43f49uG'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, xCbD6bygqhgNo5k5xR.cs	High entropy of concatenated method names: 'b5aYiIjfh', 'pH3Zkx1ak', 'K1nv53rEo', 'cUdsYVWVl', 'qpU5JRdvC', 'Gj175mj8P', 'XR2BHcuGlRZQjHWX89', 'yAxyLyNCgZ9sVSF1mP', 'GMygtB37m1bqX52G1m', 'Nr7DHABfc'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, hPWrTo3ULRNFvf9MFt.cs	High entropy of concatenated method names: 'vfNmxOvEFP', 'hQYmdJuicb', 'ToString', 'mOumFIr0Co', 'CgwmiJdkta', 'FY5mVfP8if', 'DIGmTKOiLq', 'HynmAr4ZHq', 'Ev9mR0n6LS', 'aIhmbTb1XN'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, k3vSlof98ZLU2JNif8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C4ZSK1joGe', 'm3sS4KHZNn', 'BZKScoOAXS', 'X5PSSh3GiT', 'GpUS8F9E2O', 'rI0SeMFcZb', 'kOrSlaWqXs'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, TkKxTK6AQwDkwwAmTY.cs	High entropy of concatenated method names: 'yC3RFEoG98', 'XwiRVCmo9r', 'JuyRAiXCCE', 'xCZAOrRbl2', 'Oq3AzcuYQX', 'ooTRg8nEg7', 'X1TRf9FlME', 'rv0Ry8SYNc', 'vbwR1uhgQA', 'AnKR9neLGT'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, HMFUYfOrH1G83SjoRN.cs	High entropy of concatenated method names: 'TcM4VECtDC', 'RHh4Tlk6P2', 'wgw4Ao5j30', 'hPf4Rvosrx', 'e2d4KNYyZv', 'WVF4b9FJ5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, Kyed7DoqqvNolcj07i.cs	High entropy of concatenated method names: 'CUxit8rpgi', 'huNiUqAeSL', 'asBiLtiyGd', 'vcGi35QFSS', 'nJxiJ27OiJ', 'HfJiGTwMie', 'yuUihnhtM5', 'AKSiaoV6IV', 'NyyiPJFhsk', 'nh2iORbcQZ'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, jEjEDHttksL23FmDP3.cs	High entropy of concatenated method names: 'EaEqnrJn6j', 'BrVqp1g5Od', 'aa4qtbVybo', 'wThqU3L0KH', 'RV4q2YEYT1', 'XQuqMDgU0D', 'UCFqBhQbxU', 'VWqq0sBsMe', 'vAyqXDPtNr', 'GUyq68kaCw'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, xSmolt9AJ1W0N2Cn75.cs	High entropy of concatenated method names: 'q16fRyed7D', 'oqvfbNolcj', 'NX2fxPSI0g', 'yMFfdkLKG5', 'IAlfqRwDep', 'TX8fkT01v2', 'JqKSVwJOFxAWqHnYTe', 'ESMeqj7gdLW3ZaU0fm', 'iYuffDPNXM', 'hj7f1IgvFv'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, E3fkXdffvN1acllX84W.cs	High entropy of concatenated method names: 'TPO4OYUkRa', 'OsM4zErasL', 'Hy3cg3wyRl', 'Retcfa1ZRF', 'qsFcyhltJY', 'D4ic1FEDGq', 'J6Pc94qwGH', 'EaYcEQLspU', 'lqFcFYDGjS', 'EWMci14r1V'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, rpmcEwCxWbVX4JIWiX.cs	High entropy of concatenated method names: 'cwRRNHy7hJ', 'o0iRjvIYER', 'uCZRYW0CuT', 'pH2RZcwI9p', 'mDIRwP6mD8', 'TjjRviDWj9', 'LlZRsnGG6e', 'Q2MRoJARvX', 'RjRR5Om8Pp', 'R8uR71YxYe'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, W4tI5Tz0HXTMYRA1Q9.cs	High entropy of concatenated method names: 'Qvy4vYgA9G', 'CxA4oyNRVQ', 'D0l45vkGtk', 'ubm4Wklqqq', 'FB942Xdb2O', 'rZU4B5QGo5', 'V0U40oVDYw', 'jth4lRntkc', 'raP4Na5Pgx', 'Jvw4jRyhVO'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, repLX8WT01v2xdtGLH.cs	High entropy of concatenated method names: 'UeGAEcOvZ1', 'iUSAiyVFLO', 'Mg6ATEjl6d', 'm1IARkYI4b', 'K9nAb5Zvr7', 'KQKTJ3lUm2', 'GY5TG9eYUU', 'wNKThWjI7o', 'xxXTacB0wQ', 'v3rTPHVUUQ'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, bvZV2YPEGgRO425Eqc.cs	High entropy of concatenated method names: 'fM2KWo95OD', 'VvmK2JwdpP', 'KlDKM4iIb6', 'PgLKBwbPqJ', 'sUjK0I5Evr', 'yUHKXLGZwN', 'ar3K67mNOU', 'lmbKI5jY5O', 'Et8KCbYEx6', 'DVoKnaGaEk'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, YsCc9n5X2PSI0gjMFk.cs	High entropy of concatenated method names: 'xtaVZ4wIso', 'A9xVvSuSVw', 'uXUVoYJ6gT', 'zN3V52solO', 'pVTVqW6Ugk', 'TkAVkBqi1E', 'owgVm87LL7', 'bJlVDu8ej0', 'z1XVKw5dkX', 'AUSV4fHjl4'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, O14kL9G5MC2SIaUteQ.cs	High entropy of concatenated method names: 'BmymaMkvpx', 'qvVmOoU9Q4', 'IEMDguSFnK', 'HL7DfbkeDq', 'ScKmQWuCq1', 'mXHmpb2o1I', 'u1WmuZXOq1', 'hYemtj6vTb', 'aZumUGuSRK', 'f1jmLdbioS'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, TKG54h7NedSSJBAlRw.cs	High entropy of concatenated method names: 'sttTwr3ZTu', 'ObgTsoLkia', 'wakVMWUo60', 'dqHVB7rx3l', 'eoKV0ZLMUM', 'I6qVXCHaRH', 'HvZV6ZwQ4h', 'IcLVInSwDn', 'mMTVCtmoM5', 'pfCVnNAVAC'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, DuqytXibbovTAlIZCY.cs	High entropy of concatenated method names: 'Dispose', 'k7tfPQug5T', 'HBky2ZJJiC', 'qFMxCWBeQH', 'N66fOQmeT1', 'uDHfz8Ero8', 'ProcessDialogKey', 'uIfygvZV2Y', 'eGgyfRO425', 'eqcyy2MFUY'
Source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, YaLiMlhCkb7tQug5TC.cs	High entropy of concatenated method names: 'NpXKqslXoC', 'rNhKmtTtg7', 'uqUKKRg6hH', 'FxIKcT0FVU', 'IH7K8WVRRe', 'gZIKlDwTwW', 'Dispose', 'SJjDFF3AhI', 'hdcDiw7Vr4', 'iFiDVGeJ2W'

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 10C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 5410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 6410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 6540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 7540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: BF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: C390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: D390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Memory allocated: 4C40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598073	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597959	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597798	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597649	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597177	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595487	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594738	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 593860	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Window / User API: threadDelayed 1519			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Window / User API: threadDelayed 8297			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 6368	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5200	Thread sleep count: 1519 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5200	Thread sleep count: 8297 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -598073s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597959s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597798s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597177s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595487s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594738s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe TID: 5156	Thread sleep time: -593860s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 598073	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597959	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597798	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597649	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597177	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595487	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594738	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Thread delayed: delay time: 593860	Jump to behavior

Source: Purchase Order No.1364.exe, 00000002.00000002.3319723719.0000000000F96000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Memory written: C:\Users\user\Desktop\Purchase Order No.1364.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Process created: C:\Users\user\Desktop\Purchase Order No.1364.exe "C:\Users\user\Desktop\Purchase Order No.1364.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order No.1364.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order No.1364.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3320826906.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No.1364.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Purchase Order No.1364.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.4908340.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.48a3520.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order No.1364.exe.483e700.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3318503770.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3320826906.0000000002D98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3320826906.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.856320142.0000000004699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order No.1364.exe PID: 6456, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order No.1364.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Purchase Order No.1364.exe