Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:526911
MD5:3f4e18fa2e1404e2c8f7f7e58c0dae4e
SHA1:435587d7a9213b7f42086d2b39d06c90e6d8391a
SHA256:5a608e9daf5aca1ccf0e6ef4cdbc826a02ba11037626787d6a35d2ff08cdb08a
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 4948 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 3F4E18FA2E1404E2C8F7F7E58C0DAE4E)
    • schtasks.exe (PID: 2940 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase Order.exe (PID: 2840 cmdline: {path} MD5: 3F4E18FA2E1404E2C8F7F7E58C0DAE4E)
      • schtasks.exe (PID: 4664 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Purchase Order.exe (PID: 4576 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" 0 MD5: 3F4E18FA2E1404E2C8F7F7E58C0DAE4E)
    • schtasks.exe (PID: 2960 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97f187e8-a15c-4801-9810-760fe379", "Group": "Bllie", "Domain1": "billie4.ddns.net", "Domain2": "", "Port": 6272, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x8ba5:$x1: NanoCore.ClientPluginHost
      • 0x8bd2:$x2: IClientNetworkHost
      Click to see the 71 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Purchase Order.exe.5c30000.26.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      3.2.Purchase Order.exe.5c30000.26.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      3.2.Purchase Order.exe.3495c98.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      3.2.Purchase Order.exe.3495c98.12.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      14.0.Purchase Order.exe.400000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 185 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe" , ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 4948, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp, ProcessId: 2940

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97f187e8-a15c-4801-9810-760fe379", "Group": "Bllie", "Domain1": "billie4.ddns.net", "Domain2": "", "Port": 6272, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Purchase Order.exeReversingLabs: Detection: 11%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exeReversingLabs: Detection: 24%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: Purchase Order.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exeJoe Sandbox ML: detected
      Source: 14.0.Purchase Order.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 14.0.Purchase Order.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 14.0.Purchase Order.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.Purchase Order.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.Purchase Order.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 14.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.Purchase Order.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.0.Purchase Order.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 3.2.Purchase Order.exe.5ff0000.29.unpackAvira: Label: TR/NanoCore.fadte
      Source: 3.0.Purchase Order.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 14.0.Purchase Order.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 14.0.Purchase Order.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\user\Desktop\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\xOYxxJizaL\src\obj\Debug\eQAUd3.pdb source: Purchase Order.exe
      Source: Binary string: C:\Windows\symbols\exe\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: indows\eQAUd3.pdbpdbUd3.pdbUs source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\eQAUd3.pdbf source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\exe\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 194.5.97.210:6272
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs:
      Source: Malware configuration extractorURLs: billie4.ddns.net
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: billie4.ddns.net
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: global trafficTCP traffic: 192.168.2.5:49689 -> 194.5.97.210:6272
      Source: Purchase Order.exe, 00000000.00000003.241804215.0000000005660000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.241804215.0000000005660000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comresnv
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Purchase Order.exe, 00000000.00000003.246091984.0000000005665000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: Purchase Order.exe, 00000000.00000003.244308479.0000000005660000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFqw
      Source: Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdjp/5qJ
      Source: Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
      Source: Purchase Order.exe, 00000000.00000003.246091984.0000000005665000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commno
      Source: Purchase Order.exe, 00000000.00000003.258973612.0000000005650000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comqw
      Source: Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueet5
      Source: Purchase Order.exe, 00000000.00000003.239637324.0000000005685000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.238836200.000000000566B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Purchase Order.exe, 00000000.00000003.240976558.000000000565B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: Purchase Order.exe, 00000000.00000003.241161280.000000000565E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/b
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Purchase Order.exe, 00000000.00000003.240548615.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
      Source: Purchase Order.exe, 00000000.00000003.240590707.00000000014CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTF
      Source: Purchase Order.exe, 00000000.00000003.240548615.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krNwS
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krlp
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5qJ
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Iq.
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-u
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0t:
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/mq
      Source: Purchase Order.exe, 00000000.00000003.242279484.000000000565A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
      Source: Purchase Order.exe, 00000000.00000003.242666175.000000000565F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vq
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr5
      Source: Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krttp://w
      Source: Purchase Order.exe, 00000000.00000003.240078153.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kructv
      Source: Purchase Order.exe, 00000000.00000003.240078153.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krw.micro
      Source: Purchase Order.exe, 00000000.00000003.240190365.0000000005661000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr~v
      Source: Purchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.TqO
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Purchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com3p
      Source: Purchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comfr-cNqQ
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Purchase Order.exeString found in binary or memory: https://forums.rpgmakerweb.com/index.php?threads/retro.135715
      Source: Purchase Order.exeString found in binary or memory: https://ocram-codes.net
      Source: unknownDNS traffic detected: queries for: billie4.ddns.net
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05762DE6 WSARecv,
      Source: Purchase Order.exe, 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 3.2.Purchase Order.exe.5c30000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.3495c98.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.47c0338.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.47e3cc6.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.173e8a4.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1730000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.3.Purchase Order.exe.487ac66.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.3633964.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.3411660.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.34aa308.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.3489a24.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1770000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.1720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.469777e.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.468314d.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.47e3cc6.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.1770000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.16f0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.47c9f3d.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.4676f19.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.13e0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.3.Purchase Order.exe.488f295.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1730000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1720000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.16f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.1734c9f.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.3495c98.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.1400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.34aa308.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.13e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.3.Purchase Order.exe.489d6c5.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.3489a24.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513024868.0000000001730000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.512869646.00000000016F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.512970824.0000000001720000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.513074700.0000000001770000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.510571872.00000000013E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Purchase Order.exe
      .NET source code contains very large stringsShow sources
      Source: Purchase Order.exe, frmMain.csLong String: Length: 22528
      Source: sWTAwlQUDpm.exe.0.dr, frmMain.csLong String: Length: 22528
      Source: 0.2.Purchase Order.exe.a70000.0.unpack, frmMain.csLong String: Length: 22528
      Source: 0.0.Purchase Order.exe.a70000.0.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.3.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.9.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.11.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.2.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.5.unpack, frmMain.csLong String: Length: 22528
      Source: 3.0.Purchase Order.exe.cb0000.0.unpack, frmMain.csLong String: Length: 22528
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Purchase Order.exeStatic file information: Suspicious name
      Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 3.2.Purchase Order.exe.5c30000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.5c30000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.3495c98.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.3495c98.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.47c0338.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.47c0338.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.47e3cc6.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.47e3cc6.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.173e8a4.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.173e8a4.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1730000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1730000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.3.Purchase Order.exe.487ac66.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.3.Purchase Order.exe.487ac66.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.3633964.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.3633964.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.3411660.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.3411660.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.34aa308.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.34aa308.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.3489a24.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.3489a24.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1770000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1770000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.1720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.469777e.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.469777e.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.468314d.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.468314d.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.47e3cc6.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.47e3cc6.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.1770000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1770000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.16f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.16f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.47c9f3d.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.47c9f3d.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.4676f19.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4676f19.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.13e0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.13e0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.3.Purchase Order.exe.488f295.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.3.Purchase Order.exe.488f295.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1730000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1730000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1720000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1720000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.16f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.16f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.1734c9f.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1734c9f.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.3495c98.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.3495c98.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.1400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.1400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.34aa308.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.34aa308.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.13e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.13e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.3.Purchase Order.exe.489d6c5.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.3.Purchase Order.exe.489d6c5.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.3489a24.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.3489a24.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513024868.0000000001730000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513024868.0000000001730000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.512869646.00000000016F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.512869646.00000000016F0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.512970824.0000000001720000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.512970824.0000000001720000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.513074700.0000000001770000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.513074700.0000000001770000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.510571872.00000000013E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.510571872.00000000013E0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D73A58
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D78FA8
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7B371
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7E4C0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D744B9
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D77828
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D78112
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D77130
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7AA18
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D793F2
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7A790
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D78F82
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7A780
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7EF56
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7AF48
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7AF3A
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D77C91
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D77080
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7E4B2
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7B198
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D79D98
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D79D88
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7B188
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D765B0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7E971
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7BD7D
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7AD30
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7AD20
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F1D18
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F2939
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F2C10
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F1D08
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F2C00
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F1618
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F1628
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F2631
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F0047
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F0661
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F0670
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F0070
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00A762C5
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_013E02B0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05638568
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05639168
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0563ADC8
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05633850
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_056323A0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05632FA8
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0563306F
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0563922F
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_00CB62C5
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3E4C0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E37838
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E38120
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E37130
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E38FA8
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3B380
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E37C90
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3782A
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3BDED
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E365C0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E365B0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E39D88
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3B188
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E39D98
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3AD20
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3AD30
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E38112
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3BE08
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3AA18
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E393F2
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3A782
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3A790
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3B370
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E38F78
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3AF48
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3AF3A
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02721C98
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02722B90
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02720070
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02720670
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02720661
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02721628
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02721618
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02720007
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02721C88
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027225C0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027225B1
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_02722B81
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_003C62C5
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_032223A0
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_03222FA8
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_0322306F
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_00E562C5
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_057615AA NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0576156F NtQuerySystemInformation,
      Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
      Source: Purchase Order.exe, 00000000.00000002.264098145.00000000087F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
      Source: Purchase Order.exe, 00000000.00000000.237116475.0000000000A72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQAUd3.exe: vs Purchase Order.exe
      Source: Purchase Order.exe, 00000000.00000002.260279599.00000000030E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Purchase Order.exe
      Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.517262865.0000000005FE0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000000.255969459.0000000000CB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQAUd3.exe: vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514499338.0000000004766000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514499338.0000000004766000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514499338.0000000004766000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514499338.0000000004766000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000003.00000002.511631747.00000000014BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Purchase Order.exe
      Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
      Source: Purchase Order.exe, 00000007.00000002.291669910.0000000002B31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 00000007.00000002.290658300.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQAUd3.exe: vs Purchase Order.exe
      Source: Purchase Order.exe, 00000007.00000002.294839498.0000000007FF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
      Source: Purchase Order.exe, 00000007.00000002.291224499.0000000000A9A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Purchase Order.exe
      Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
      Source: Purchase Order.exe, 0000000E.00000000.288924003.0000000000E52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQAUd3.exe: vs Purchase Order.exe
      Source: Purchase Order.exe, 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order.exe
      Source: Purchase Order.exe, 0000000E.00000002.305464722.000000000162A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Purchase Order.exe
      Source: Purchase Order.exeBinary or memory string: OriginalFilenameeQAUd3.exe: vs Purchase Order.exe
      Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: sWTAwlQUDpm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Purchase Order.exeReversingLabs: Detection: 11%
      Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\Purchase Order.exeJump to behavior
      Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" 0
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0576136A AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05761333 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exeJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFF67.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/10@20/2
      Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Purchase Order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3848:120:WilError_01
      Source: C:\Users\user\Desktop\Purchase Order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{97f187e8-a15c-4801-9810-760fe379ba40}
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\user\Desktop\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\xOYxxJizaL\src\obj\Debug\eQAUd3.pdb source: Purchase Order.exe
      Source: Binary string: C:\Windows\symbols\exe\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: indows\eQAUd3.pdbpdbUd3.pdbUs source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\eQAUd3.pdbf source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\exe\eQAUd3.pdb source: Purchase Order.exe, 00000003.00000002.513330278.0000000003095000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Purchase Order.exe, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: sWTAwlQUDpm.exe.0.dr, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.2.Purchase Order.exe.a70000.0.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.0.Purchase Order.exe.a70000.0.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.3.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.9.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.11.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.2.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.5.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 3.0.Purchase Order.exe.cb0000.0.unpack, frmMain.cs.Net Code: Q_I3 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00A7B921 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00A7B273 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_013D31FD push es; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_013D247A push esi; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_013D2530 push esi; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7F22A push B83592E8h; iretd
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02D7D477 push 9EFFFFFEh; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_050F116A push CC45699Fh; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00A762C5 push es; retn 0000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_00CBB273 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_00CBB921 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_01442BEC push cs; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_01442BBD push cs; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0145B0B4 push 057FCF74h; iretd
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_014574AC push ecx; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_014574B8 push ebp; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_01457FA7 push eax; retf
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_00CB62C5 push es; retn 0000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_003CB921 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_003CB273 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E3D477 push 9EFFFFFEh; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00E34E60 push ebx; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_0272116A push CC45699Fh; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_003C62C5 push es; retn 0000h
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_00E5B273 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_00E5B921 push ss; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_01492BEC push cs; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_01492BBD push cs; ret
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_00E562C5 push es; retn 0000h
      Source: Purchase Order.exeStatic PE information: 0x8E9F697A [Sat Oct 28 13:58:18 2045 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.69202666714
      Source: initial sampleStatic PE information: section name: .text entropy: 7.69202666714
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.Purchase Order.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.Purchase Order.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.Purchase Order.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.Purchase Order.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.Purchase Order.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.0.Purchase Order.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000000.00000002.260337804.000000000312F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Purchase Order.exe, 00000000.00000002.260337804.000000000312F000.00000004.00000001.sdmp, Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Purchase Order.exe, 00000000.00000002.260337804.000000000312F000.00000004.00000001.sdmp, Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5164Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 2376Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4600Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4600Thread sleep count: 420 > 30
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4600Thread sleep count: 1287 > 30
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4616Thread sleep count: 279 > 30
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4600Thread sleep count: 85 > 30
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4604Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4548Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Purchase Order.exe TID: 6100Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 420
      Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 1287
      Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: foregroundWindowGot 711
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_057625FE GetSystemInfo,
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: Purchase Order.exe, 00000003.00000002.512105320.000000000152C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSh;u
      Source: Purchase Order.exe, 00000007.00000002.291224499.0000000000A9A000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Purchase Order.exe, 00000007.00000002.291735399.0000000002B7F000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: Purchase Order.exe, 00000007.00000002.291224499.0000000000A9A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Purchase Order.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp
      Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
      Source: Purchase Order.exe, 00000003.00000002.513812190.00000000035A7000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: Purchase Order.exe, 00000003.00000002.513192982.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: Purchase Order.exe, 00000003.00000002.513192982.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: Purchase Order.exe, 00000003.00000002.513192982.0000000001B40000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
      Source: Purchase Order.exe, 00000003.00000002.513192982.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
      Source: Purchase Order.exe, 00000003.00000002.513192982.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: Purchase Order.exe, 00000003.00000002.512105320.000000000152C000.00000004.00000020.sdmpBinary or memory string: rProgram Manager
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_057630AE GetSystemTimes,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0144AF9A GetUserNameW,

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Purchase Order.exe, 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Purchase Order.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: Purchase Order.exe, 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: Purchase Order.exe, 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Purchase Order.exe, 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Purchase Order.exe, 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.4659c7e.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.44530dd.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.46630dd.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 7.2.Purchase Order.exe.3c2c7c0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.485a831.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4467a90.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.446c0b9.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Purchase Order.exe.465eab4.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.4235b58.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.42b7f68.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.48513d2.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff4629.28.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4856208.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.5ff0000.29.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.4676f19.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Purchase Order.exe.41dc7c0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.469777e.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Purchase Order.exe.468314d.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 2840, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4576, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5872, type: MEMORYSTR
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05320E9E bind,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05320A8E listen,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05320E6B bind,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05320A50 listen,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_0576275A bind,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 3_2_05762708 bind,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027B0FC6 bind,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027B0A8E listen,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027B0A50 listen,
      Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_027B0F93 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSystem Information Discovery14Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery21SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 526911 Sample: Purchase Order.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 17 other signatures 2->50 8 Purchase Order.exe 8 2->8         started        12 Purchase Order.exe 6 2->12         started        process3 file4 32 C:\Users\user\AppData\...\sWTAwlQUDpm.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpFF67.tmp, XML 8->34 dropped 36 C:\Users\user\...\Purchase Order.exe.log, ASCII 8->36 dropped 52 Injects a PE file into a foreign processes 8->52 14 Purchase Order.exe 12 8->14         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 12->20         started        22 Purchase Order.exe 2 12->22         started        signatures5 process6 dnsIp7 40 billie4.ddns.net 194.5.97.210, 49689, 49691, 49694 DANILENKODE Netherlands 14->40 42 192.168.2.1 unknown unknown 14->42 38 C:\Users\user\AppData\Roaming\...\run.dat, data 14->38 dropped 24 schtasks.exe 1 14->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file8 process9 process10 30 conhost.exe 24->30         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Purchase Order.exe11%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
      Purchase Order.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exe24%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      14.0.Purchase Order.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      14.0.Purchase Order.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      14.0.Purchase Order.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.Purchase Order.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.Purchase Order.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      14.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.Purchase Order.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.0.Purchase Order.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      3.2.Purchase Order.exe.5ff0000.29.unpack100%AviraTR/NanoCore.fadteDownload File
      3.0.Purchase Order.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      14.0.Purchase Order.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      14.0.Purchase Order.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      billie4.ddns.net2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/5qJ0%Avira URL Cloudsafe
      http://www.founder.com.cn/cnL0%URL Reputationsafe
      http://www.sandoll.co.kr50%Avira URL Cloudsafe
      http://www.sandoll.co.krttp://w0%Avira URL Cloudsafe
      http://www.tiro.comfr-cNqQ0%Avira URL Cloudsafe
      http://www.goodfont.co.krNwS0%Avira URL Cloudsafe
      http://www.sandoll.co.kr.0%Avira URL Cloudsafe
      billie4.ddns.net0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y0r0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com.0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/mq0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Iq.0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
      http://www.fontbureau.comcom0%URL Reputationsafe
      http://www.founder.com.cn/cn/b0%Avira URL Cloudsafe
      http://www.fontbureau.comFqw0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.sandoll.co.kructv0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.founder.com.cn/cnf0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.fontbureau.comqw0%Avira URL Cloudsafe
      http://www.fontbureau.commno0%Avira URL Cloudsafe
      http://www.tiro.TqO0%Avira URL Cloudsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.founder.com.cn/cnTF0%URL Reputationsafe
      http://www.sandoll.co.krw.micro0%Avira URL Cloudsafe
      http://en.wikipedia0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.fontbureau.comd0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y0t:0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.comdjp/5qJ0%Avira URL Cloudsafe
      http://www.fontbureau.comitu0%URL Reputationsafe
      https://ocram-codes.net0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/vq0%Avira URL Cloudsafe
      http://www.fontbureau.comueet50%Avira URL Cloudsafe
      http://www.tiro.com3p0%Avira URL Cloudsafe
      http://www.goodfont.co.krlp0%Avira URL Cloudsafe
      http://www.sandoll.co.kr~v0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Y0-u0%Avira URL Cloudsafe
      http://www.carterandcone.comresnv0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      billie4.ddns.net
      194.5.97.210
      truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      true
      • Avira URL Cloud: safe
      low
      billie4.ddns.nettrue
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersGPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designers/?Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
          high
          http://www.founder.com.cn/cn/bThePurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          unknown
          http://www.jiyu-kobo.co.jp/5qJPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.founder.com.cn/cnLPurchase Order.exe, 00000000.00000003.240548615.0000000005661000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          unknown
          http://www.sandoll.co.kr5Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.sandoll.co.krttp://wPurchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.tiro.comfr-cNqQPurchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.fontbureau.com/designers?Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
            high
            http://www.goodfont.co.krNwSPurchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.sandoll.co.kr.Purchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.tiro.comPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designersPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              high
              http://www.jiyu-kobo.co.jp/Y0rPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.goodfont.co.krPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.carterandcone.comPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.241804215.0000000005660000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.carterandcone.com.Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.jiyu-kobo.co.jp/mqPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.jiyu-kobo.co.jp/Iq.Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.sajatypeworks.comPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.typography.netDPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.founder.com.cn/cn/cThePurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.galapagosdesign.com/staff/dennis.htmPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://fontfabrik.comPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.jiyu-kobo.co.jp/5Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.jiyu-kobo.co.jp//Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.comcomPurchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.founder.com.cn/cn/bPurchase Order.exe, 00000000.00000003.241161280.000000000565E000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.fontbureau.comFqwPurchase Order.exe, 00000000.00000003.244308479.0000000005660000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.galapagosdesign.com/DPleasePurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.jiyu-kobo.co.jp/Y0Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.sandoll.co.kructvPurchase Order.exe, 00000000.00000003.240078153.0000000005661000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://www.fonts.comPurchase Order.exe, 00000000.00000003.239637324.0000000005685000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.238836200.000000000566B000.00000004.00000001.sdmpfalse
                high
                http://www.sandoll.co.krPurchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.urwpp.deDPleasePurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.zhongyicts.com.cnPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cnfPurchase Order.exe, 00000000.00000003.240548615.0000000005661000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.sakkal.comPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.comqwPurchase Order.exe, 00000000.00000003.258973612.0000000005650000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.commnoPurchase Order.exe, 00000000.00000003.246091984.0000000005665000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.apache.org/licenses/LICENSE-2.0Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                  high
                  http://www.fontbureau.comPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                    high
                    http://www.tiro.TqOPurchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.comFPurchase Order.exe, 00000000.00000003.246091984.0000000005665000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cnTFPurchase Order.exe, 00000000.00000003.240590707.00000000014CB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://forums.rpgmakerweb.com/index.php?threads/retro.135715Purchase Order.exefalse
                      high
                      http://www.sandoll.co.krw.microPurchase Order.exe, 00000000.00000003.240078153.0000000005661000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://en.wikipediaPurchase Order.exe, 00000000.00000003.241804215.0000000005660000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/jp/Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comdPurchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comlPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/Y0t:Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.founder.com.cn/cn/Purchase Order.exe, 00000000.00000003.240976558.000000000565B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cnPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/uPurchase Order.exe, 00000000.00000003.242279484.000000000565A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/Purchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers8Purchase Order.exe, 00000000.00000002.262436735.0000000006902000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comdjp/5qJPurchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.comituPurchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://ocram-codes.netPurchase Order.exefalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/vqPurchase Order.exe, 00000000.00000003.242666175.000000000565F000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.comueet5Purchase Order.exe, 00000000.00000003.243987110.0000000005662000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.tiro.com3pPurchase Order.exe, 00000000.00000003.241100382.0000000005669000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.goodfont.co.krlpPurchase Order.exe, 00000000.00000003.240136959.0000000005661000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.sandoll.co.kr~vPurchase Order.exe, 00000000.00000003.240190365.0000000005661000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low
                            http://www.jiyu-kobo.co.jp/Y0-uPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.comresnvPurchase Order.exe, 00000000.00000003.242579799.0000000005655000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            194.5.97.210
                            billie4.ddns.netNetherlands
                            208476DANILENKODEtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:526911
                            Start date:23.11.2021
                            Start time:07:43:08
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 54s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Purchase Order.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:25
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@15/10@20/2
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, dllhost.exe, UpdateNotificationMgr.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • TCP Packets have been reduced to 100
                            • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, go.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            07:44:07API Interceptor2x Sleep call for process: Purchase Order.exe modified
                            07:44:15Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Purchase Order.exe" s>$(Arg0)

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            194.5.97.21010377 APT800_B0205K0384.exeGet hashmaliciousBrowse
                              PO-10377.exeGet hashmaliciousBrowse
                                Purchase Order_PO226520_1632165053105.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  DANILENKODEPURCHASE ORDER EXPORT1024MG97364032 SCANNED DOC_pdf.exeGet hashmaliciousBrowse
                                  • 194.5.98.48
                                  purchase order Nl32855 (1).exeGet hashmaliciousBrowse
                                  • 194.5.98.139
                                  8mTwU7uNFV.exeGet hashmaliciousBrowse
                                  • 194.5.97.131
                                  KNpmkMT5f3.exeGet hashmaliciousBrowse
                                  • 194.5.98.12
                                  scvRj4lo1E.exeGet hashmaliciousBrowse
                                  • 194.5.98.11
                                  #RFQ ORDER484425083-NJ.exeGet hashmaliciousBrowse
                                  • 194.5.98.120
                                  RzUbuIerbF.exeGet hashmaliciousBrowse
                                  • 194.5.97.207
                                  SIGNED_COPY_IMG_ORDER_...REQUEST_IMG_123456.exeGet hashmaliciousBrowse
                                  • 194.5.98.5
                                  NOA MU21S0029729.exeGet hashmaliciousBrowse
                                  • 194.5.97.207
                                  New purchase order 4940009190,pdf.exeGet hashmaliciousBrowse
                                  • 194.5.97.23
                                  Fattura_del_cliente_V406307-scan.exeGet hashmaliciousBrowse
                                  • 194.5.97.165
                                  ML822VOG-R11.docGet hashmaliciousBrowse
                                  • 194.5.97.131
                                  6Xzgfme0z6.exeGet hashmaliciousBrowse
                                  • 194.5.97.131
                                  ESTADO+10+DE+NOVIEMBRE+DE+2021-101121.pdf.jsGet hashmaliciousBrowse
                                  • 194.5.98.48
                                  RTQFHtPW9x.exeGet hashmaliciousBrowse
                                  • 194.5.98.107
                                  Document#053681.exeGet hashmaliciousBrowse
                                  • 194.5.98.204
                                  4vo6jE1nlG.exeGet hashmaliciousBrowse
                                  • 194.5.97.54
                                  ORDEN DE COMPRA-PDF.exeGet hashmaliciousBrowse
                                  • 194.5.97.149
                                  Confirmation Transfer Copy MT102-Ref No#01018.exeGet hashmaliciousBrowse
                                  • 194.5.98.105
                                  Confirmation Transfer Copy MT102-Ref No-01018.exeGet hashmaliciousBrowse
                                  • 194.5.98.105

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Purchase Order.exe.log
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):916
                                  Entropy (8bit):5.282390836641403
                                  Encrypted:false
                                  SSDEEP:24:MLF20NaL3z2p29hJ5g522rW2xAi3AP26K95rKoO2+g2+:MwLLD2Y9h3go2rxxAcAO6ox+g2+
                                  MD5:5AD8E7ABEADADAC4CE06FF693476581A
                                  SHA1:81E42A97BBE3D7DE8B1E8B54C2B03C48594D761E
                                  SHA-256:BAA1A28262BA27D51C3A1FA7FB0811AD1128297ABB2EDCCC785DC52667D2A6FD
                                  SHA-512:7793E78E84AD36CE65B5B1C015364E340FB9110FAF199BC0234108CE9BCB1AEDACBD25C6A012AC99740E08BEA5E5C373A88E553E47016304D8AE6AEEAB58EBFF
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..
                                  C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1648
                                  Entropy (8bit):5.172217402109266
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3M
                                  MD5:0371FFF5870C0D59235E3FD3647E5538
                                  SHA1:358AA8B8346B514512F900E57C3204D77133DF2C
                                  SHA-256:C1AB5FE0B70B71F5B3890D43561AD435D9384E94293E7FB952E64414D6086A22
                                  SHA-512:DB0BD5EB36EBF58B883AD95657AA4BF552B2A5BAF6BE8B97719E8B6C85CCFA6DAB784E0798F54BBC8384128082FF009C91B2DE3A01ACC20CAE04711B76175267
                                  Malicious:false
                                  Reputation:low
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                  C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1305
                                  Entropy (8bit):5.088117605128047
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PbDxtn:cbk4oL600QydbQxIYODOLedq3SPj
                                  MD5:F8DE240D4239D85AB6315F533A21B115
                                  SHA1:CFE83B8E774B9949C0E068EC7746E857628025F9
                                  SHA-256:8CE0227F4A53D2BC6D1C17C6F2B4339A93A2200E386C7CD7FB85DB365E189DA1
                                  SHA-512:D6E8560D9D08DAD33961DED978DA40ECEB3B094AFD26283AF415A382604C916D00777D73F4F8F5CEE94B50E98261F5D37A1D873F676D04EF9E00282FAF9E3FA0
                                  Malicious:false
                                  Reputation:low
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1648
                                  Entropy (8bit):5.172217402109266
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNOtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3M
                                  MD5:0371FFF5870C0D59235E3FD3647E5538
                                  SHA1:358AA8B8346B514512F900E57C3204D77133DF2C
                                  SHA-256:C1AB5FE0B70B71F5B3890D43561AD435D9384E94293E7FB952E64414D6086A22
                                  SHA-512:DB0BD5EB36EBF58B883AD95657AA4BF552B2A5BAF6BE8B97719E8B6C85CCFA6DAB784E0798F54BBC8384128082FF009C91B2DE3A01ACC20CAE04711B76175267
                                  Malicious:true
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):128
                                  Entropy (8bit):6.527114648336088
                                  Encrypted:false
                                  SSDEEP:3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
                                  MD5:0A9C5EAE8756D6FC90F59D8D71A79E1E
                                  SHA1:0F7D6AAED17CD18DC614535ED26335C147E29ED7
                                  SHA-256:B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
                                  SHA-512:78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
                                  Malicious:false
                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:0It:0Q
                                  MD5:BE3EB2224A65D1EC10EE8F55BA8B4CB1
                                  SHA1:1607DB06531CBA588752E844FB53B97A863FF4BD
                                  SHA-256:9C9D4D78A2F1EC733AEC21A6CB734BEE54C591D8F4E9A80C2994E62D8568AAE9
                                  SHA-512:572C92BBED9DC189D4CA39441F7482C56C86CD7EBEA110CE733368BB1EFC1E017F2ED2B54B90C910BA9A52620F3A571CFF5DC39224FD534530EA02230D5B1C1B
                                  Malicious:true
                                  Preview: .._....H
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):40
                                  Entropy (8bit):5.153055907333276
                                  Encrypted:false
                                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                  MD5:4E5E92E2369688041CC82EF9650EDED2
                                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                  Malicious:false
                                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):367496
                                  Entropy (8bit):7.999535722214108
                                  Encrypted:true
                                  SSDEEP:6144:3rv1Xjouu5ZMQajChQSE0Rp30gbdoh5Y2cmSPCqA9BCNHku9BdFqB3GbiCX:D1TousJSafd6imJd8EeBdF7biCX
                                  MD5:4D784935677AE26ACDC3FB84FA1E6CF8
                                  SHA1:4B143D26638C2BE44BE05D862E5CD1BEA3664825
                                  SHA-256:C77E2D82DB9066E4DBFDE3AE0461A4259505F435EC0DB2CE3BD005BE0E2DE67C
                                  SHA-512:193295AB3FBCE6BA4A563DD864839F5D7A3B8F351F576DE2C85E2F3978F3E33EF22299224DFD7D2F5506A2CAFB04656E19676F28B21F19C504B2D43921063554
                                  Malicious:false
                                  Preview: ..m.....%.8C......o`.M..d....mvW5].N ...c....m.b..1^J@....M.!.aq.f....<....._..;i.1-+.wZ..C@Z...> .P9.K..[~....1.......#.Djp...q..z..HoR/..8....k.......\.7..c..]_....._F.....3Z.9U........r..8..]..%n..Q..^<s`L{. ..9.o..wU33z...hJG..!..a.?mI...}.H}...o.Zs`.....~..x....".7.{....k.>. @X.\j........57..C..f.v...:..Q<.B.o..x..s}\.`....z..E@$.!.}}.&.VI........Y.....gU..b.b..l..Bg....bh.$.....f.B...e.f...a.....v.....9..x.#.......*[......=.T#.,.6.uN.........D.jdQ..go.T..+..N.U-.w.a..6 C.5.vMy....S...V...I..:..v2..V..................G..P K.{.&............o...q......`~.i8........+k.F...o.$TP....l.......;T..3.a.u.f..)...4b...-.r.&(<....'....n.[...b....k....W.Vp..G`..~..."k....Y../l3`....u_.L...#.....;....m.cV.|.:........#..P9;....Q..*F.._%.f..0...'.z.i..#;.X=.utJ...)9".......k..E..K...\..cc-..8<..f.T!{..c....S`4{....D2..s.....)`.h.;.QQ^mP.M77.'M.....q C).l....<..]QA.,...p......4..XQ.xu.w.z..g~.%M.....D...!.h.F.$~.....n%'.lt..E...h=......).?......N.K?.M.48..
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):42
                                  Entropy (8bit):4.2704265780462904
                                  Encrypted:false
                                  SSDEEP:3:oNUWJRW1QK4q6:oNNJAaND
                                  MD5:618AC53B37F2EB68D08319403146536E
                                  SHA1:67C1E821D177E25C98B184DAF5EBDD3F4D6690EB
                                  SHA-256:CFFFF74893EDC2CF68D57EFC43C36EDB3B01F5AA38EA574EF0BBAA7EDFCD3348
                                  SHA-512:B6B200880B4F880D22EFED2AB2A5DF6FD9D437C74BC8A4D9C29002837684773A5885C55694718D759E42758D250F4A461FEAC26636A04AFE1A6B0F9DC67E080E
                                  Malicious:false
                                  Preview: C:\Users\user\Desktop\Purchase Order.exe
                                  C:\Users\user\AppData\Roaming\sWTAwlQUDpm.exe
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):493568
                                  Entropy (8bit):7.678704961445741
                                  Encrypted:false
                                  SSDEEP:12288:uBbYwVLa/V7PVGjWUUrhr4MTigNFxKAHszQ0lxZ:GbYGe7uWdhM8xxtszRd
                                  MD5:3F4E18FA2E1404E2C8F7F7E58C0DAE4E
                                  SHA1:435587D7A9213B7F42086D2B39D06C90E6D8391A
                                  SHA-256:5A608E9DAF5ACA1CCF0E6EF4CDBC826A02BA11037626787D6A35D2FF08CDB08A
                                  SHA-512:985E5F971B2D53E2FF0D4A327DB326D03BF45A83A003CF841B91B42F4BF98B3A38F8CF0E6B4204AF39FFCD3BB02FF659D58B27013B78AA425B02FF0EA6B4561E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 24%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zi................P..r.............. ........@.. ....................................@.................................w...O......................................8............................................ ............... ..H............text....q... ...r.................. ..`.rsrc................t..............@..@.reloc..............................@..B........................H............$..............H............................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.678704961445741
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:Purchase Order.exe
                                  File size:493568
                                  MD5:3f4e18fa2e1404e2c8f7f7e58c0dae4e
                                  SHA1:435587d7a9213b7f42086d2b39d06c90e6d8391a
                                  SHA256:5a608e9daf5aca1ccf0e6ef4cdbc826a02ba11037626787d6a35d2ff08cdb08a
                                  SHA512:985e5f971b2d53e2ff0d4a327db326d03bf45a83a003cf841b91b42f4bf98b3a38f8cf0e6b4204af39ffcd3bb02ff659d58b27013b78aa425b02ff0ea6b4561e
                                  SSDEEP:12288:uBbYwVLa/V7PVGjWUUrhr4MTigNFxKAHszQ0lxZ:GbYGe7uWdhM8xxtszRd
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zi................P..r............... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4791ca
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x8E9F697A [Sat Oct 28 13:58:18 2045 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v2.0.50727
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x791770x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x1114.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x790d80x38.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x771d00x77200False0.86247786595data7.69202666714IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x7a0000x11140x1200False0.381076388889data4.9255976369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x7a0900x348data
                                  RT_MANIFEST0x7a3e80xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2021 Marko Paakkunainen
                                  Assembly Version1.0.0.0
                                  InternalNameeQAUd3.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNameRETRO Plugin
                                  ProductVersion1.0.0.0
                                  FileDescriptionRETRO Plugin
                                  OriginalFilenameeQAUd3.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  11/23/21-07:44:17.237267UDP254DNS SPOOF query response with TTL of 1 min. and no authority53524808.8.8.8192.168.2.5
                                  11/23/21-07:44:22.918501UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511658.8.8.8192.168.2.5
                                  11/23/21-07:44:28.415590UDP254DNS SPOOF query response with TTL of 1 min. and no authority53575878.8.8.8192.168.2.5
                                  11/23/21-07:44:39.605379UDP254DNS SPOOF query response with TTL of 1 min. and no authority53649368.8.8.8192.168.2.5
                                  11/23/21-07:44:50.649318UDP254DNS SPOOF query response with TTL of 1 min. and no authority53543028.8.8.8192.168.2.5
                                  11/23/21-07:45:01.674443UDP254DNS SPOOF query response with TTL of 1 min. and no authority53653078.8.8.8192.168.2.5
                                  11/23/21-07:45:29.342544UDP254DNS SPOOF query response with TTL of 1 min. and no authority53654478.8.8.8192.168.2.5
                                  11/23/21-07:45:46.116939UDP254DNS SPOOF query response with TTL of 1 min. and no authority53631838.8.8.8192.168.2.5
                                  11/23/21-07:45:51.703391UDP254DNS SPOOF query response with TTL of 1 min. and no authority53601518.8.8.8192.168.2.5
                                  11/23/21-07:46:03.029157TCP2025019ET TROJAN Possible NanoCore C2 60B497176272192.168.2.5194.5.97.210

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 23, 2021 07:44:17.389962912 CET496896272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:17.538707018 CET627249689194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:18.061567068 CET496896272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:18.210715055 CET627249689194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:18.717730045 CET496896272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:18.866449118 CET627249689194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:22.922355890 CET496916272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:23.070617914 CET627249691194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:23.577513933 CET496916272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:23.726269960 CET627249691194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:24.233894110 CET496916272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:24.382631063 CET627249691194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:28.417042017 CET496946272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:28.566623926 CET627249694194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:29.077970982 CET496946272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:29.226653099 CET627249694194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:29.734330893 CET496946272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:29.894108057 CET627249694194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:34.075227022 CET496966272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:34.224206924 CET627249696194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:34.734749079 CET496966272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:34.883861065 CET627249696194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:35.391036987 CET496966272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:35.539808035 CET627249696194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:39.607939005 CET496976272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:39.756625891 CET627249697194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:40.266534090 CET496976272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:40.415079117 CET627249697194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:40.922837973 CET496976272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:41.071589947 CET627249697194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:45.102241993 CET496986272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:45.251132965 CET627249698194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:45.752711058 CET496986272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:45.901335001 CET627249698194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:46.407705069 CET496986272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:46.556601048 CET627249698194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:50.652089119 CET497006272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:50.800879002 CET627249700194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:51.314444065 CET497006272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:51.463077068 CET627249700194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:51.970632076 CET497006272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:52.119189024 CET627249700194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:56.179426908 CET497016272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:56.328674078 CET627249701194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:56.830353975 CET497016272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:56.979824066 CET627249701194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:44:57.486665010 CET497016272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:44:57.635464907 CET627249701194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:01.677175045 CET497026272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:01.826018095 CET627249702194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:02.331011057 CET497026272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:02.480120897 CET627249702194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:02.987204075 CET497026272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:03.136143923 CET627249702194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:07.201742887 CET497036272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:07.350267887 CET627249703194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:07.862571955 CET497036272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:08.011409998 CET627249703194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:08.518870115 CET497036272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:08.667947054 CET627249703194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:12.794691086 CET497046272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:12.943517923 CET627249704194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:13.456767082 CET497046272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:13.605420113 CET627249704194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:14.113226891 CET497046272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:14.261835098 CET627249704194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:18.296304941 CET497056272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:18.447422981 CET627249705194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:18.958446980 CET497056272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:19.107242107 CET627249705194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:19.613521099 CET497056272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:19.762224913 CET627249705194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:23.850714922 CET497076272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:23.999031067 CET627249707194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:24.504596949 CET497076272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:24.653172016 CET627249707194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:25.160947084 CET497076272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:25.309812069 CET627249707194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:29.344146013 CET497096272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:29.493128061 CET627249709194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:30.005127907 CET497096272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:30.154444933 CET627249709194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:30.661555052 CET497096272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:30.810309887 CET627249709194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:34.956475973 CET497106272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:35.105833054 CET627249710194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:35.614928961 CET497106272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:35.763436079 CET627249710194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:36.271358013 CET497106272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:36.421082020 CET627249710194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:40.481812000 CET497116272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:40.630515099 CET627249711194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:41.130990028 CET497116272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:41.279831886 CET627249711194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:41.787435055 CET497116272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:41.936064005 CET627249711194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:46.118077993 CET497146272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:46.267226934 CET627249714194.5.97.210192.168.2.5
                                  Nov 23, 2021 07:45:46.787795067 CET497146272192.168.2.5194.5.97.210
                                  Nov 23, 2021 07:45:46.936563015 CET627249714194.5.97.210192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 23, 2021 07:44:17.215949059 CET5248053192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:17.237267017 CET53524808.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:22.896964073 CET5116553192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:22.918500900 CET53511658.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:28.394016981 CET5758753192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:28.415590048 CET53575878.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:34.027271986 CET5543253192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:34.048892975 CET53554328.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:39.583848953 CET6493653192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:39.605379105 CET53649368.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:45.083228111 CET5270453192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:45.100925922 CET53527048.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:50.627996922 CET5430253192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:50.649317980 CET53543028.8.8.8192.168.2.5
                                  Nov 23, 2021 07:44:56.151756048 CET5378453192.168.2.58.8.8.8
                                  Nov 23, 2021 07:44:56.171714067 CET53537848.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:01.652332067 CET6530753192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:01.674443007 CET53653078.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:07.180596113 CET6434453192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:07.198613882 CET53643448.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:12.773217916 CET6206053192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:12.793133020 CET53620608.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:18.275168896 CET6180553192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:18.294912100 CET53618058.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:23.829754114 CET4955753192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:23.849181890 CET53495578.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:29.321582079 CET6544753192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:29.342544079 CET53654478.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:34.933257103 CET5244153192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:34.953414917 CET53524418.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:40.460719109 CET6217653192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:40.480710030 CET53621768.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:46.097528934 CET6318353192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:46.116939068 CET53631838.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:51.681828022 CET6015153192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:51.703391075 CET53601518.8.8.8192.168.2.5
                                  Nov 23, 2021 07:45:57.295866966 CET5696953192.168.2.58.8.8.8
                                  Nov 23, 2021 07:45:57.315715075 CET53569698.8.8.8192.168.2.5
                                  Nov 23, 2021 07:46:02.808727026 CET5516153192.168.2.58.8.8.8
                                  Nov 23, 2021 07:46:02.829051018 CET53551618.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Nov 23, 2021 07:44:17.215949059 CET192.168.2.58.8.8.80x9fd2Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:22.896964073 CET192.168.2.58.8.8.80xca47Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:28.394016981 CET192.168.2.58.8.8.80x8d93Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:34.027271986 CET192.168.2.58.8.8.80xd2b7Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:39.583848953 CET192.168.2.58.8.8.80x4a4bStandard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:45.083228111 CET192.168.2.58.8.8.80x2a33Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:50.627996922 CET192.168.2.58.8.8.80xa113Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:56.151756048 CET192.168.2.58.8.8.80x3363Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:01.652332067 CET192.168.2.58.8.8.80xa54dStandard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:07.180596113 CET192.168.2.58.8.8.80x4f38Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:12.773217916 CET192.168.2.58.8.8.80x1683Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:18.275168896 CET192.168.2.58.8.8.80x4378Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:23.829754114 CET192.168.2.58.8.8.80xb037Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:29.321582079 CET192.168.2.58.8.8.80xda8aStandard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:34.933257103 CET192.168.2.58.8.8.80x9222Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:40.460719109 CET192.168.2.58.8.8.80x943aStandard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:46.097528934 CET192.168.2.58.8.8.80x1852Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:51.681828022 CET192.168.2.58.8.8.80xf4b4Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:57.295866966 CET192.168.2.58.8.8.80x23c5Standard query (0)billie4.ddns.netA (IP address)IN (0x0001)
                                  Nov 23, 2021 07:46:02.808727026 CET192.168.2.58.8.8.80x336eStandard query (0)billie4.ddns.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Nov 23, 2021 07:44:17.237267017 CET8.8.8.8192.168.2.50x9fd2No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:22.918500900 CET8.8.8.8192.168.2.50xca47No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:28.415590048 CET8.8.8.8192.168.2.50x8d93No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:34.048892975 CET8.8.8.8192.168.2.50xd2b7No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:39.605379105 CET8.8.8.8192.168.2.50x4a4bNo error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:45.100925922 CET8.8.8.8192.168.2.50x2a33No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:50.649317980 CET8.8.8.8192.168.2.50xa113No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:44:56.171714067 CET8.8.8.8192.168.2.50x3363No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:01.674443007 CET8.8.8.8192.168.2.50xa54dNo error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:07.198613882 CET8.8.8.8192.168.2.50x4f38No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:12.793133020 CET8.8.8.8192.168.2.50x1683No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:18.294912100 CET8.8.8.8192.168.2.50x4378No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:23.849181890 CET8.8.8.8192.168.2.50xb037No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:29.342544079 CET8.8.8.8192.168.2.50xda8aNo error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:34.953414917 CET8.8.8.8192.168.2.50x9222No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:40.480710030 CET8.8.8.8192.168.2.50x943aNo error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:46.116939068 CET8.8.8.8192.168.2.50x1852No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:51.703391075 CET8.8.8.8192.168.2.50xf4b4No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:45:57.315715075 CET8.8.8.8192.168.2.50x23c5No error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)
                                  Nov 23, 2021 07:46:02.829051018 CET8.8.8.8192.168.2.50x336eNo error (0)billie4.ddns.net194.5.97.210A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Start time:07:44:02
                                  Start date:23/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Purchase Order.exe"
                                  Imagebase:0xa70000
                                  File size:493568 bytes
                                  MD5 hash:3F4E18FA2E1404E2C8F7F7E58C0DAE4E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260337804.000000000312F000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.261218037.00000000040E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Start time:07:44:09
                                  Start date:23/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmpFF67.tmp
                                  Imagebase:0x10c0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:10
                                  Start date:23/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:10
                                  Start date:23/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xcb0000
                                  File size:493568 bytes
                                  MD5 hash:3F4E18FA2E1404E2C8F7F7E58C0DAE4E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.514093712.0000000004451000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.510612941.0000000001400000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.516783135.0000000005C30000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513024868.0000000001730000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513024868.0000000001730000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.509365335.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.514370660.0000000004632000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.256909060.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.258283803.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.257814909.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.512869646.00000000016F0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.512869646.00000000016F0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.512970824.0000000001720000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.512970824.0000000001720000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.517345477.0000000005FF0000.00000004.00020000.sdmp, Author: Joe Security
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.513074700.0000000001770000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.513074700.0000000001770000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.510571872.00000000013E0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.510571872.00000000013E0000.00000004.00020000.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.514554854.0000000004851000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.257324506.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Start time:07:44:13
                                  Start date:23/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp5DEB.tmp
                                  Imagebase:0x10c0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:15
                                  Start date:23/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:16
                                  Start date:23/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Purchase Order.exe" 0
                                  Imagebase:0x3c0000
                                  File size:493568 bytes
                                  MD5 hash:3F4E18FA2E1404E2C8F7F7E58C0DAE4E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.293600942.0000000003B31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  General

                                  Start time:07:44:21
                                  Start date:23/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sWTAwlQUDpm" /XML "C:\Users\user\AppData\Local\Temp\tmp2DF9.tmp
                                  Imagebase:0x10c0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:22
                                  Start date:23/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7ecfc0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:07:44:24
                                  Start date:23/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xe50000
                                  File size:493568 bytes
                                  MD5 hash:3F4E18FA2E1404E2C8F7F7E58C0DAE4E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.290105146.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.304942297.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.288438984.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.288897596.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.305808689.0000000004611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.305776301.0000000003611000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.289395103.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Disassembly

                                  Code Analysis

                                  Reset < >