Source: Yara match | File source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: unknown | TCP traffic detected without corresponding DNS query: 212.83.46.26 |
Source: Yara match | File source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE |
Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239810218.00000000064C0000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239810218.00000000064C0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239553221.0000000005CA0000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamePositiveSign.dll< vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229892856.0000000000DCB000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSoapName.dll2 vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229611492.0000000000678000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.239684106.00000000063C0000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.581627878.00000000006B8000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591844560.0000000005E80000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.590522113.0000000005B50000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order #(PO-4147074).exe |
Source: Purchase Order #(PO-4147074).exe | Binary or memory string: OriginalFilenameEventProviderWriter.exeZ vs Purchase Order #(PO-4147074).exe |
Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000003.00000002.589286551.0000000005300000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.5300000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs | High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=' |
Source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs | High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK' |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Process information set: NOOPENFILEERRORBOX |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp | Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.229916054.0000000000DFF000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Purchase Order #(PO-4147074).exe, 00000000.00000002.230037064.0000000002901000.00000004.00000001.sdmp | Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591922712.00000000063B0000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.586825345.0000000002DD3000.00000004.00000001.sdmp | Binary or memory string: Program Manager |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.583454477.0000000001530000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.583454477.0000000001530000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591089615.0000000005CFF000.00000004.00000001.sdmp | Binary or memory string: Program Managerp |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.586825345.0000000002DD3000.00000004.00000001.sdmp | Binary or memory string: Program Manager|$ |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.590465959.0000000005B4B000.00000004.00000001.sdmp | Binary or memory string: Program Managerp8 |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.591915457.00000000063AE000.00000004.00000001.sdmp | Binary or memory string: Program ManagerpX |
Source: Purchase Order #(PO-4147074).exe, 00000003.00000002.583454477.0000000001530000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\Purchase Order #(PO-4147074).exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: Yara match | File source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.589318346.0000000005310000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.580963895.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.583672189.0000000002A41000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.588220377.0000000003A89000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.231081613.0000000003929000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 1536, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Purchase Order #(PO-4147074).exe PID: 5284, type: MEMORY |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.5310000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.Purchase Order #(PO-4147074).exe.400000.0.unpack, type: UNPACKEDPE |