Play interactive tour

Edit tour

Windows Analysis Report Orden de Compra -SA765443,pdf.exe

Overview

General Information

Sample Name:	Orden de Compra -SA765443,pdf.exe
Analysis ID:	527111
MD5:	f7f223c7625c5c9df43af835298c1183
SHA1:	2105dc6b41d1ec220e89fb018fb1fd95b9a22d5a
SHA256:	7a356a718b0ca6272486633efb6a34c6301007f50766d8cfab60a996f2729935
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Orden de Compra -SA765443,pdf.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe" MD5: F7F223C7625C5C9DF43AF835298C1183)

Orden de Compra -SA765443,pdf.exe (PID: 6548 cmdline: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe MD5: F7F223C7625C5C9DF43AF835298C1183)

schtasks.exe (PID: 6712 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Orden de Compra -SA765443,pdf.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe" 0 MD5: F7F223C7625C5C9DF43AF835298C1183)

Orden de Compra -SA765443,pdf.exe (PID: 4220 cmdline: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe MD5: F7F223C7625C5C9DF43AF835298C1183)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c78d90a0-5de6-4b77-9d98-da24b367", "Group": "CHIBOY", "Domain1": "wealthgod1234.ddns.net", "Domain2": "127.0.0.1", "Port": 4693, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4995, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435d5:$a: NanoCore 0x4362e:$a: NanoCore 0x4366b:$a: NanoCore 0x436e4:$a: NanoCore 0x56d8f:$a: NanoCore 0x56da4:$a: NanoCore 0x56dd9:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fd90:$a: NanoCore 0x6fdc5:$a: NanoCore 0x43637:$b: ClientPlugin 0x43674:$b: ClientPlugin 0x43f72:$b: ClientPlugin 0x43f7f:$b: ClientPlugin 0x56b4b:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56b96:$b: ClientPlugin 0x56dad:$b: ClientPlugin 0x56de2:$b: ClientPlugin 0x6fb37:$b: ClientPlugin 0x6fb52:$b: ClientPlugin
00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6952f:$a: NanoCore 0x69588:$a: NanoCore 0x695c5:$a: NanoCore 0x6963e:$a: NanoCore 0x69591:$b: ClientPlugin 0x695ce:$b: ClientPlugin 0x69ecc:$b: ClientPlugin 0x69ed9:$b: ClientPlugin 0x5f6a9:$e: KeepAlive 0x69a19:$g: LogClientMessage 0x69999:$i: get_Connected 0x59965:$j: #=q 0x59995:$j: #=q 0x599d1:$j: #=q 0x599f9:$j: #=q 0x59a29:$j: #=q 0x59a59:$j: #=q 0x59a89:$j: #=q 0x59ab9:$j: #=q 0x59ad5:$j: #=q 0x59b05:$j: #=q
00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.266922252.0000000002CDE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x69825:$x1: NanoCore.ClientPluginHost 0x18dbed:$x1: NanoCore.ClientPluginHost 0x1c060d:$x1: NanoCore.ClientPluginHost 0x69862:$x2: IClientNetworkHost 0x18dc2a:$x2: IClientNetworkHost 0x1c064a:$x2: IClientNetworkHost 0x6d395:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19175d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c417d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6958d:$a: NanoCore 0x6959d:$a: NanoCore 0x697d1:$a: NanoCore 0x697e5:$a: NanoCore 0x69825:$a: NanoCore 0x18d955:$a: NanoCore 0x18d965:$a: NanoCore 0x18db99:$a: NanoCore 0x18dbad:$a: NanoCore 0x18dbed:$a: NanoCore 0x1c0375:$a: NanoCore 0x1c0385:$a: NanoCore 0x1c05b9:$a: NanoCore 0x1c05cd:$a: NanoCore 0x1c060d:$a: NanoCore 0x695ec:$b: ClientPlugin 0x697ee:$b: ClientPlugin 0x6982e:$b: ClientPlugin 0x18d9b4:$b: ClientPlugin 0x18dbb6:$b: ClientPlugin 0x18dbf6:$b: ClientPlugin
00000009.00000002.295061035.000000000323E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x69825:$x1: NanoCore.ClientPluginHost 0x18dbed:$x1: NanoCore.ClientPluginHost 0x1c060d:$x1: NanoCore.ClientPluginHost 0x69862:$x2: IClientNetworkHost 0x18dc2a:$x2: IClientNetworkHost 0x1c064a:$x2: IClientNetworkHost 0x6d395:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19175d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c417d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6958d:$a: NanoCore 0x6959d:$a: NanoCore 0x697d1:$a: NanoCore 0x697e5:$a: NanoCore 0x69825:$a: NanoCore 0x18d955:$a: NanoCore 0x18d965:$a: NanoCore 0x18db99:$a: NanoCore 0x18dbad:$a: NanoCore 0x18dbed:$a: NanoCore 0x1c0375:$a: NanoCore 0x1c0385:$a: NanoCore 0x1c05b9:$a: NanoCore 0x1c05cd:$a: NanoCore 0x1c060d:$a: NanoCore 0x695ec:$b: ClientPlugin 0x697ee:$b: ClientPlugin 0x6982e:$b: ClientPlugin 0x18d9b4:$b: ClientPlugin 0x18dbb6:$b: ClientPlugin 0x18dbf6:$b: ClientPlugin
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x48602:$x1: NanoCore.ClientPluginHost 0x4863f:$x2: IClientNetworkHost 0x4bb27:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x56880:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9eb05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa9e8e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x48326:$a: NanoCore 0x48336:$a: NanoCore 0x4839e:$a: NanoCore 0x483ad:$a: NanoCore 0x485ae:$a: NanoCore 0x485c2:$a: NanoCore 0x48602:$a: NanoCore 0x52eea:$a: NanoCore 0x52efc:$a: NanoCore 0x52f38:$a: NanoCore 0x9b16f:$a: NanoCore 0x9b181:$a: NanoCore 0x9b1bd:$a: NanoCore 0xa64f8:$a: NanoCore 0xa650a:$a: NanoCore 0xa6546:$a: NanoCore 0x4834a:$b: ClientPlugin 0x483f7:$b: ClientPlugin 0x485cb:$b: ClientPlugin 0x4860b:$b: ClientPlugin 0x52f05:$b: ClientPlugin
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdea9:$x1: NanoCore.ClientPluginHost 0xdec3:$x2: IClientNetworkHost 0x2f97b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a632:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3350:$a: NanoCore 0x33ac:$a: NanoCore 0x342b:$a: NanoCore 0xde13:$a: NanoCore 0xde6c:$a: NanoCore 0xdea9:$a: NanoCore 0xdf22:$a: NanoCore 0xe4d4:$a: NanoCore 0xe527:$a: NanoCore 0xe560:$a: NanoCore 0xe5d3:$a: NanoCore 0x2c39a:$a: NanoCore 0x2c3aa:$a: NanoCore 0x2c405:$a: NanoCore 0x2c414:$a: NanoCore 0x36c9c:$a: NanoCore 0x36cae:$a: NanoCore 0x36cea:$a: NanoCore 0x46f55:$a: NanoCore 0x46f68:$a: NanoCore 0x46f9a:$a: NanoCore
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x128d0:$x1: NanoCore.ClientPluginHost 0x1290d:$x2: IClientNetworkHost 0x15ef4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20d17:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x68fd0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x74359:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x125d1:$a: NanoCore 0x125e1:$a: NanoCore 0x1266c:$a: NanoCore 0x1267b:$a: NanoCore 0x1287c:$a: NanoCore 0x12890:$a: NanoCore 0x128d0:$a: NanoCore 0x1d381:$a: NanoCore 0x1d393:$a: NanoCore 0x1d3cf:$a: NanoCore 0x6563a:$a: NanoCore 0x6564c:$a: NanoCore 0x65688:$a: NanoCore 0x709c3:$a: NanoCore 0x709d5:$a: NanoCore 0x70a11:$a: NanoCore 0x1260b:$b: ClientPlugin 0x126c5:$b: ClientPlugin 0x12899:$b: ClientPlugin 0x128d9:$b: ClientPlugin 0x1d39c:$b: ClientPlugin
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa02d:$x1: NanoCore.ClientPluginHost 0xa047:$x2: IClientNetworkHost 0x2aee5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3595b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9f97:$a: NanoCore 0x9ff0:$a: NanoCore 0xa02d:$a: NanoCore 0xa0a6:$a: NanoCore 0xa658:$a: NanoCore 0xa6ab:$a: NanoCore 0xa6e4:$a: NanoCore 0xa757:$a: NanoCore 0x11962:$a: NanoCore 0x11975:$a: NanoCore 0x119a7:$a: NanoCore 0x17690:$a: NanoCore 0x176a3:$a: NanoCore 0x176d5:$a: NanoCore 0x271df:$a: NanoCore 0x27b3b:$a: NanoCore 0x27b81:$a: NanoCore 0x27b90:$a: NanoCore 0x31fc5:$a: NanoCore 0x31fd7:$a: NanoCore 0x32013:$a: NanoCore
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.Orden de Compra -SA765443,pdf.exe.3299750.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.Orden de Compra -SA765443,pdf.exe.3299750.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.5ad0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.5ad0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.Orden de Compra -SA765443,pdf.exe.322a178.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Orden de Compra -SA765443,pdf.exe.2cca178.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.Orden de Compra -SA765443,pdf.exe.3034bbc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.Orden de Compra -SA765443,pdf.exe.3034bbc.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x7dbde:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x134555:$x1: NanoCore.ClientPluginHost 0x166f75:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x134592:$x2: IClientNetworkHost 0x166fb2:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1380c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16aae5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x1342bd:$a: NanoCore 0x1342cd:$a: NanoCore 0x134501:$a: NanoCore 0x134515:$a: NanoCore 0x134555:$a: NanoCore 0x166cdd:$a: NanoCore 0x166ced:$a: NanoCore 0x166f21:$a: NanoCore 0x166f35:$a: NanoCore 0x166f75:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x13431c:$b: ClientPlugin 0x13451e:$b: ClientPlugin 0x13455e:$b: ClientPlugin
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x134555:$x1: NanoCore.ClientPluginHost 0x166f75:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x134592:$x2: IClientNetworkHost 0x166fb2:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1380c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16aae5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x1342bd:$a: NanoCore 0x1342cd:$a: NanoCore 0x134501:$a: NanoCore 0x134515:$a: NanoCore 0x134555:$a: NanoCore 0x166cdd:$a: NanoCore 0x166ced:$a: NanoCore 0x166f21:$a: NanoCore 0x166f35:$a: NanoCore 0x166f75:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x13431c:$b: ClientPlugin 0x13451e:$b: ClientPlugin 0x13455e:$b: ClientPlugin
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x7dbde:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto
Click to see the 116 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe, ProcessId: 6548, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe, ParentImage: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe, ParentProcessId: 6548, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp, ProcessId: 6712

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c78d90a0-5de6-4b77-9d98-da24b367", "Group": "CHIBOY", "Domain1": "wealthgod1234.ddns.net", "Domain2": "127.0.0.1", "Port": 4693, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 4995, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR

Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 4x nop then jmp 0129A224h
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 4x nop then jmp 0129A224h
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 4x nop then jmp 0169A224h
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 4x nop then jmp 0169A224h

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wealthgod1234.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthgod1234.ddns.net

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

IP Address: 185.140.53.12 185.140.53.12

Source: global traffic

TCP traffic: 192.168.2.7:49756 -> 185.140.53.12:4693

Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: http://www.chinhdo.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: wealthgod1234.ddns.net

Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.266021612.0000000000F5B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.Orden de Compra -SA765443,pdf.exe.3299750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Orden de Compra -SA765443,pdf.exe.5ad0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.Orden de Compra -SA765443,pdf.exe.3034bbc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.Orden de Compra -SA765443,pdf.exe.3299750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.3299750.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.Orden de Compra -SA765443,pdf.exe.5ad0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.5ad0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.Orden de Compra -SA765443,pdf.exe.3034bbc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.Orden de Compra -SA765443,pdf.exe.3034bbc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0129A060
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_01298410
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0129B4C8
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0129E188
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0129A053
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0752F338
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_07522113
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_0752D978
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_07523ADF
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_07523AF0
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_07523890
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 0_2_075238A0
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 5_2_0555E471
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 5_2_0555E480
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 5_2_0555BBD4
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_0169A060
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_01698410
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_0169B4C8
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_0169E188
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_0169A050
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_0757D978
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_07572113
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_07573ADF
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_07573AF0
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_07573890
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 9_2_075738A0
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 14_2_0197E480
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 14_2_0197E471
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Code function: 14_2_0197BBD4

Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.265515025.00000000008EC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBinaryAssemblyIn.exeP vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.266021612.0000000000F5B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000000.260346348.0000000000D7C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBinaryAssemblyIn.exeP vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.516882135.00000000066A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.293137418.0000000000E3C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBinaryAssemblyIn.exeP vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000000.292208495.0000000000F2C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBinaryAssemblyIn.exeP vs Orden de Compra -SA765443,pdf.exe
Source: Orden de Compra -SA765443,pdf.exe	Binary or memory string: OriginalFilenameBinaryAssemblyIn.exeP vs Orden de Compra -SA765443,pdf.exe

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

File read: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Jump to behavior

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe "C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe"
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe "C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe" 0
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de Compra -SA765443,pdf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp62E7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/5@16/1

Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c78d90a0-5de6-4b77-9d98-da24b3672291}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01

Source: Orden de Compra -SA765443,pdf.exe, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Orden de Compra -SA765443,pdf.exe.860000.0.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Orden de Compra -SA765443,pdf.exe.860000.0.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.cf0000.5.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.cf0000.0.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.cf0000.3.unpack, ue000.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Orden de Compra -SA765443,pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample

Static PE information: section name: .text entropy: 7.72977166234

Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (67).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

File opened: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.322a178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.2cca178.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266922252.0000000002CDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.295061035.000000000323E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp, Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp, Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 6200	Thread sleep time: -32640s >= -30000s
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 6232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 6860	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 6868	Thread sleep time: -34498s >= -30000s
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 6916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Window / User API: threadDelayed 4239
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Window / User API: threadDelayed 5280
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Window / User API: foregroundWindowGot 870

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 32640
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 34498
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Thread delayed: delay time: 922337203685477

Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Memory written: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Memory written: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Process created: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512339089.0000000001A40000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.516849356.00000000065AB000.00000004.00000010.sdmp	Binary or memory string: Program Manager
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512339089.0000000001A40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512339089.0000000001A40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512339089.0000000001A40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Orden de Compra -SA765443,pdf.exe, 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Orden de Compra -SA765443,pdf.exe, 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Orden de Compra -SA765443,pdf.exe, 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Orden de Compra -SA765443,pdf.exe, 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.427b7f6.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.4284c55.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.428062c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.405062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4069618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Orden de Compra -SA765443,pdf.exe.4054c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4386a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3d02698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Orden de Compra -SA765443,pdf.exe.4262698.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de Compra -SA765443,pdf.exe.3e26a60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de Compra -SA765443,pdf.exe PID: 4220, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading11	Input Capture21	Security Software Discovery11	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.Orden de Compra -SA765443,pdf.exe.66b0000.8.unpack	100%	Avira	TR/NanoCore.fadte	Download File
5.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.Orden de Compra -SA765443,pdf.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.Orden de Compra -SA765443,pdf.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.Orden de Compra -SA765443,pdf.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.Orden de Compra -SA765443,pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.Orden de Compra -SA765443,pdf.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.Orden de Compra -SA765443,pdf.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
wealthgod1234.ddns.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
wealthgod1234.ddns.net	2%	Virustotal		Browse
wealthgod1234.ddns.net	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.chinhdo.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthgod1234.ddns.net	185.140.53.12	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wealthgod1234.ddns.net	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.fonts.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chinhdo.com	Orden de Compra -SA765443,pdf.exe, 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Orden de Compra -SA765443,pdf.exe, 00000000.00000002.270115374.0000000006C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.12	wealthgod1234.ddns.net	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527111
Start date:	23.11.2021
Start time:	11:58:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Orden de Compra -SA765443,pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/5@16/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1% (good quality ratio 0.4%) Quality average: 26.6% Quality standard deviation: 36%
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:59:21	API Interceptor	921x Sleep call for process: Orden de Compra -SA765443,pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.12	Hemotronik Nov Acil PO_76565,pdf.exe	Get hash	malicious	Browse
	SOMECO Nov Acil PO_76565,pdf.exe	Get hash	malicious	Browse
	Sifari#U015fin t#U0259sdiq edilm#U0259si _ T#U0259cili,pdf.exe	Get hash	malicious	Browse
	AWB # 2617429350,pdf.exe	Get hash	malicious	Browse
	AWB # 2617429350,pdf.exe	Get hash	malicious	Browse
	C.GNew pedido WJO-001,pdf.exe	Get hash	malicious	Browse
	DHL_119040 re#U00e7u,pdf (2).exe	Get hash	malicious	Browse
	Confirmaci#U00f3n de pedido nuevo-5309,pdf.exe	Get hash	malicious	Browse
	Urgente RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse
	Urgent RFQ_AP65425652_03242,pdf.exe	Get hash	malicious	Browse
	vmw7WdkJ6k.exe	Get hash	malicious	Browse
	CONTRACT PMA1911003.exe	Get hash	malicious	Browse
	003663-37399.exe	Get hash	malicious	Browse
	BingUpdate.exe	Get hash	malicious	Browse
	Documents RF V23665.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	purchase order 0112.exe	Get hash	malicious	Browse	185.140.53.137
	9mMANDmw9O.exe	Get hash	malicious	Browse	91.193.75.190
	TR0398734893 50601251.exe	Get hash	malicious	Browse	185.140.53.131
	swift.xls	Get hash	malicious	Browse	91.193.75.212
	SOA_0009877890.exe	Get hash	malicious	Browse	185.244.30.58
	8UYr1od7iW.exe	Get hash	malicious	Browse	91.193.75.148
	928272_Payment_Receipt.vbs	Get hash	malicious	Browse	185.140.53.3
	N2K18_Payment_Copy.vbs	Get hash	malicious	Browse	185.140.53.3
	U2M19O_Payment_Copy.vbs	Get hash	malicious	Browse	185.140.53.3
	J3m1a_Payment_Copy.vbs	Get hash	malicious	Browse	185.140.53.3
	18-11-21 Statement.xlsx	Get hash	malicious	Browse	91.193.75.148
	bWKXCwatmt.exe	Get hash	malicious	Browse	91.193.75.148
	17-11-21 STATEMENT.xlsx	Get hash	malicious	Browse	91.193.75.148
	Copy of Complaint report-1st Nov21 to 16th Nov21.xlsx	Get hash	malicious	Browse	91.193.75.148
	UTYHFG03983765367839837653.exe	Get hash	malicious	Browse	185.140.53.131
	IkGcQX45T8.exe	Get hash	malicious	Browse	91.193.75.148
	vcjjMWSZx8.exe	Get hash	malicious	Browse	185.140.53.138
	000876543234567.exe	Get hash	malicious	Browse	185.244.30.58
	Dhl_Shipment_one.exe	Get hash	malicious	Browse	185.140.53.137
	PO.E210115.exe	Get hash	malicious	Browse	185.244.30.252

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de Compra -SA765443,pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp62E7.tmp Download File
Process:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1323
Entropy (8bit):	5.12284374389714
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0kxtn:cbk4oL600QydbQxIYODOLedq3Jj
MD5:	38A67D49BD1B250B49E9E6A7ECD6CD14
SHA1:	4FDD0D9B3F3E4E5B48CA231343324E30951BE2E3
SHA-256:	6DD0B3C0DFA7950B1DEDA930882F3E84912932021A76F853561BA640816D4251
SHA-512:	86DB3AF07E0180504DCBFCE1FC1BC7F6A00F12BD8AF76774382E3B4CEF4BD5ED9FBDEE8089F772AA075B973257C922C4E89C279B4E09362173794617B7BF60AC
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	128
Entropy (8bit):	6.527114648336088
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
MD5:	0A9C5EAE8756D6FC90F59D8D71A79E1E
SHA1:	0F7D6AAED17CD18DC614535ED26335C147E29ED7
SHA-256:	B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
SHA-512:	78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:0keIt:0A
MD5:	94B41CFEE4E2B49BD4C1E82A95852AF4
SHA1:	4BB08756493EB9A0E663E0688E451841BC9BE9CD
SHA-256:	42CE8F756A9AF3726B6EFDA3823B0DBB539AB1EDF322B08B807E4ADD86A819E7
SHA-512:	96A9FC234C38C2D983CE8EED8823EF3F9E2E907B6EE967DEF3981F7ED6E351654F58B98B5877A3620D2FC84C0171EB9DA92BC3B0EA8B030ABCD78B8CE90423BF
Malicious:	true
Reputation:	low
Preview:	.>.....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.608288146260291
Encrypted:	false
SSDEEP:	3:oN0naRRqXIgq9EDDJ:oNcSRqXIFED9
MD5:	FC28A690D1E29EEEC388DFB51CCB3449
SHA1:	D20184CB0468F8BA3D1481A9BD72CB8956FB10AA
SHA-256:	5DC03F18C097ACE50982402ED7A9829F8ECDAEAFC6E048147E5AA871DEEF845F
SHA-512:	B1B8A12EC1EAB4634BE96CD46D1B24AA2B1797E531EAB965DE4BE752CB0B1CED61713FDF4B635F76B10F92A3E9AE62C6D7087F9BD4E5758BF6062E31AB165C07
Malicious:	false
Preview:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.69147440283363
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Orden de Compra -SA765443,pdf.exe
File size:	577536
MD5:	f7f223c7625c5c9df43af835298c1183
SHA1:	2105dc6b41d1ec220e89fb018fb1fd95b9a22d5a
SHA256:	7a356a718b0ca6272486633efb6a34c6301007f50766d8cfab60a996f2729935
SHA512:	0238b920a0f2afc3df08c5634573037eaf649464f0324afc3a1bc1ca1aafe858bb31e75feb1c487cdbf6a8496a5128c21fda112fe439c45299f10d853a0ed290
SSDEEP:	12288:sglS4oq0RueU5AzUJCjKs7pw2i/FB8r7S5Ud3EWtD00UxZ:NlSoEfUAWE7UFS3cUWWC0Ux
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......D........... ........@.. .......................@............@................................

File Icon


Icon Hash:	c49a0894909c6494

Static PE Info

General
Entrypoint:	0x48a81e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619CB29F [Tue Nov 23 09:21:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a7cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x4200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x88824	0x88a00	False	0.853445934355	data	7.72977166234	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x4200	0x4200	False	0.455669981061	data	5.72908968706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8c190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8c5f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 1134929317, next used block 44344484
RT_ICON	0x8d6a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x8fc48	0x30	data
RT_VERSION	0x8fc78	0x388	data
RT_MANIFEST	0x90000	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	(C) 2009
Assembly Version	1.1.0.0
InternalName	BinaryAssemblyIn.exe
FileVersion	1.1.0.0
CompanyName	Joseph Magnin
LegalTrademarks
Comments	Dental
ProductName	GitHub ValidationEngine
ProductVersion	1.1.0.0
FileDescription	GitHub ValidationEngine
OriginalFilename	BinaryAssemblyIn.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/23/21-11:59:33.326172	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54640	8.8.8.8	192.168.2.7
11/23/21-11:59:39.867599	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58739	8.8.8.8	192.168.2.7
11/23/21-11:59:52.949500	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	59762	8.8.8.8	192.168.2.7
11/23/21-12:00:21.346042	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50781	8.8.8.8	192.168.2.7
11/23/21-12:00:28.959265	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50452	8.8.8.8	192.168.2.7
11/23/21-12:00:49.940231	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49247	8.8.8.8	192.168.2.7
11/23/21-12:00:56.951611	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56064	8.8.8.8	192.168.2.7
11/23/21-12:01:11.033668	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61457	8.8.8.8	192.168.2.7
11/23/21-12:01:18.086716	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58367	8.8.8.8	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 11:59:33.337551117 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:33.574400902 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:33.574518919 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:33.633510113 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:33.868426085 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:33.868505955 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:33.993396997 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.055079937 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.130394936 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.130495071 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.330420017 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.442317009 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.531650066 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.760502100 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.760591030 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.905227900 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.905368090 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.921463013 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.921520948 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.925437927 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.925528049 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.925600052 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.930630922 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.930704117 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.936819077 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.936903000 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.940973043 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.941088915 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.951020956 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.951116085 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.954480886 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.954556942 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:34.976289034 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:34.976392984 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.032165051 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.113380909 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.119410992 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.119518042 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.129333019 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.197905064 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.197951078 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.197987080 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.197997093 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.198024035 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.198055029 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.198061943 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.198100090 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.198120117 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.210349083 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.210514069 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.210557938 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.233959913 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.233982086 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.234052896 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.291506052 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.291533947 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.291549921 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.291565895 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.291627884 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.291671038 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.296436071 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.296473980 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.296596050 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.313451052 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.313713074 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.324222088 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.324258089 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.324328899 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.342457056 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.406476974 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.406502008 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.406573057 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.462531090 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518480062 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518520117 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518544912 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518567085 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.518570900 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518615007 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.518876076 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518922091 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.518953085 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.519022942 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.519084930 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.519128084 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584332943 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584371090 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584398031 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584419966 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584444046 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584465027 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584486961 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584532022 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.584549904 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.584611893 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.589833021 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.589958906 CET	49756	4693	192.168.2.7	185.140.53.12
Nov 23, 2021 11:59:35.595310926 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.596344948 CET	4693	49756	185.140.53.12	192.168.2.7
Nov 23, 2021 11:59:35.596997976 CET	49756	4693	192.168.2.7	185.140.53.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2021 11:59:33.304900885 CET	54640	53	192.168.2.7	8.8.8.8
Nov 23, 2021 11:59:33.326172113 CET	53	54640	8.8.8.8	192.168.2.7
Nov 23, 2021 11:59:39.846254110 CET	58739	53	192.168.2.7	8.8.8.8
Nov 23, 2021 11:59:39.867599010 CET	53	58739	8.8.8.8	192.168.2.7
Nov 23, 2021 11:59:46.156789064 CET	58717	53	192.168.2.7	8.8.8.8
Nov 23, 2021 11:59:46.177053928 CET	53	58717	8.8.8.8	192.168.2.7
Nov 23, 2021 11:59:52.927398920 CET	59762	53	192.168.2.7	8.8.8.8
Nov 23, 2021 11:59:52.949500084 CET	53	59762	8.8.8.8	192.168.2.7
Nov 23, 2021 11:59:59.120119095 CET	54329	53	192.168.2.7	8.8.8.8
Nov 23, 2021 11:59:59.140615940 CET	53	54329	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:06.133011103 CET	59451	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:06.153048038 CET	53	59451	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:14.324692011 CET	64569	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:14.345205069 CET	53	64569	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:21.321403027 CET	50781	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:21.346041918 CET	53	50781	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:28.937688112 CET	50452	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:28.959264994 CET	53	50452	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:35.907048941 CET	58820	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:35.926978111 CET	53	58820	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:43.069562912 CET	60983	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:43.087691069 CET	53	60983	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:49.920238972 CET	49247	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:49.940231085 CET	53	49247	8.8.8.8	192.168.2.7
Nov 23, 2021 12:00:56.928706884 CET	56064	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:00:56.951611042 CET	53	56064	8.8.8.8	192.168.2.7
Nov 23, 2021 12:01:03.983671904 CET	63744	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:01:04.004245996 CET	53	63744	8.8.8.8	192.168.2.7
Nov 23, 2021 12:01:11.011229992 CET	61457	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:01:11.033668041 CET	53	61457	8.8.8.8	192.168.2.7
Nov 23, 2021 12:01:18.065009117 CET	58367	53	192.168.2.7	8.8.8.8
Nov 23, 2021 12:01:18.086715937 CET	53	58367	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2021 11:59:33.304900885 CET	192.168.2.7	8.8.8.8	0xfe0d	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:39.846254110 CET	192.168.2.7	8.8.8.8	0x6ab8	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:46.156789064 CET	192.168.2.7	8.8.8.8	0x5df9	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:52.927398920 CET	192.168.2.7	8.8.8.8	0x1e6a	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:59.120119095 CET	192.168.2.7	8.8.8.8	0x4104	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:06.133011103 CET	192.168.2.7	8.8.8.8	0x8c5d	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:14.324692011 CET	192.168.2.7	8.8.8.8	0x4d13	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:21.321403027 CET	192.168.2.7	8.8.8.8	0xfab1	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:28.937688112 CET	192.168.2.7	8.8.8.8	0xc73e	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:35.907048941 CET	192.168.2.7	8.8.8.8	0x2e41	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:43.069562912 CET	192.168.2.7	8.8.8.8	0x6ff	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:49.920238972 CET	192.168.2.7	8.8.8.8	0x6285	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:56.928706884 CET	192.168.2.7	8.8.8.8	0xd645	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:03.983671904 CET	192.168.2.7	8.8.8.8	0xf269	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:11.011229992 CET	192.168.2.7	8.8.8.8	0xd872	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:18.065009117 CET	192.168.2.7	8.8.8.8	0x2040	Standard query (0)	wealthgod1234.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 23, 2021 11:59:33.326172113 CET	8.8.8.8	192.168.2.7	0xfe0d	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:39.867599010 CET	8.8.8.8	192.168.2.7	0x6ab8	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:46.177053928 CET	8.8.8.8	192.168.2.7	0x5df9	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:52.949500084 CET	8.8.8.8	192.168.2.7	0x1e6a	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 11:59:59.140615940 CET	8.8.8.8	192.168.2.7	0x4104	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:06.153048038 CET	8.8.8.8	192.168.2.7	0x8c5d	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:14.345205069 CET	8.8.8.8	192.168.2.7	0x4d13	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:21.346041918 CET	8.8.8.8	192.168.2.7	0xfab1	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:28.959264994 CET	8.8.8.8	192.168.2.7	0xc73e	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:35.926978111 CET	8.8.8.8	192.168.2.7	0x2e41	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:43.087691069 CET	8.8.8.8	192.168.2.7	0x6ff	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:49.940231085 CET	8.8.8.8	192.168.2.7	0x6285	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:00:56.951611042 CET	8.8.8.8	192.168.2.7	0xd645	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:04.004245996 CET	8.8.8.8	192.168.2.7	0xf269	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:11.033668041 CET	8.8.8.8	192.168.2.7	0xd872	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)
Nov 23, 2021 12:01:18.086715937 CET	8.8.8.8	192.168.2.7	0x2040	No error (0)	wealthgod1234.ddns.net	185.140.53.12	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Orden de Compra -SA765443,pdf.exe PID: 6196 Parent PID: 6008

General

Start time:	11:59:13
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe"
Imagebase:	0x860000
File size:	577536 bytes
MD5 hash:	F7F223C7625C5C9DF43AF835298C1183
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266827018.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266922252.0000000002CDE000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.268195690.0000000003CA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: Orden de Compra -SA765443,pdf.exe PID: 6548 Parent PID: 6196

General

Start time:	11:59:22
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Imagebase:	0xcf0000
File size:	577536 bytes
MD5 hash:	F7F223C7625C5C9DF43AF835298C1183
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.262435507.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.516892703.00000000066B0000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.261948516.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.512725162.0000000003001000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.263642925.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.516734883.0000000005AD0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.262924739.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.514335905.000000000404D000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.507112354.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 6712 Parent PID: 6548

General

Start time:	11:59:27
Start date:	23/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
Imagebase:	0x170000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6728 Parent PID: 6712

General

Start time:	11:59:29
Start date:	23/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Orden de Compra -SA765443,pdf.exe PID: 6864 Parent PID: 1104

General

Start time:	11:59:31
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe" 0
Imagebase:	0xdb0000
File size:	577536 bytes
MD5 hash:	F7F223C7625C5C9DF43AF835298C1183
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.294956289.0000000003201000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.296236042.0000000004209000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.295061035.000000000323E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Orden de Compra -SA765443,pdf.exe PID: 4220 Parent PID: 6864

General

Start time:	11:59:35
Start date:	23/11/2021
Path:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
Imagebase:	0xea0000
File size:	577536 bytes
MD5 hash:	F7F223C7625C5C9DF43AF835298C1183
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.310703445.0000000004239000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.289660204.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.309326840.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.290829502.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.310601454.0000000003231000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.292078484.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.291488537.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Orden de Compra -SA765443,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior