Analysis Report PAYMENT SLIP.exe

Overview

General Information

Sample Name:	PAYMENT SLIP.exe
Analysis ID:	412302
MD5:	50c9d58f61950484825d85a9a1372a7d
SHA1:	79df49a23af28b6322f1fa461167b1145fc927de
SHA256:	80726d3e380e4a7d0d1eee7f352c4a319e70dd4355a1a4f02ab27babc1a13d15
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c473d7c4-8173-4cff-8fb5-dfc81a12", "Group": "sea", "Domain1": "seaudo.hopto.org", "Domain2": "23.254.130.71", "Port": 3030, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe

ReversingLabs: Detection: 42%

Yara detected Nanocore RAT

Source: Yara match	File source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY
Source: Yara match	File source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY
Source: Yara match	File source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY
Source: Yara match	File source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY
Source: Yara match	File source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY
Source: Yara match	File source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PAYMENT SLIP.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.PAYMENT SLIP.exe.23e0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.2.PAYMENT SLIP.exe.2f50000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.MSBuild.exe.4507ac8.19.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.2.MSBuild.exe.61a0000.33.unpack	Avira: Label: TR/NanoCore.fadte
Source: 1.2.PAYMENT SLIP.exe.3110000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.PAYMENT SLIP.exe.3060000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: PAYMENT SLIP.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Windows\System.pdboo source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: indows\symbols\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb* source: MSBuild.exe, 0000000C.00000003.887823042.0000000001658000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
Source:	Binary string: System.pdbX source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 0000000C.00000002.913261020.0000000005DA0000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C4E
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_0040689A FindFirstFileW,FindClose,	1_2_0040689A
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_00402902 FindFirstFileW,	1_2_00402902
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405C4E
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_0040689A FindFirstFileW,FindClose,	8_2_0040689A
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_00402902 FindFirstFileW,	8_2_00402902

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	12_2_06CD52C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4x nop then mov esp, ebp	12_2_06CD42A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	12_2_06CD52B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4x nop then mov esp, ebp	12_2_06CD4110

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 23.254.130.71:3030
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 23.254.130.71:3030

Source: Malware configuration extractor	URLs: seaudo.hopto.org
Source: Malware configuration extractor	URLs: 23.254.130.71

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 13.224.186.242
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.215.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.205
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.168.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.225
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.23.42
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.142.209
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.142.209
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.25.218
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.142.209
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.16.131
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.22.227
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.68
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.138

Source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: PAYMENT SLIP.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.48f0272.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.48632ce.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.2f33c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.46658d0.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.184e8a4.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1840000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3524cf0.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17f0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.46574b4.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.48f4f11.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17e0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.48f0272.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.34b12fc.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1810000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1430000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1870000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1450000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.5810000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.48e703e.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.1420000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.17f0000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.1830000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.1420000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1840000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.48e703e.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1830000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.48632ce.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17a0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3530f30.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.46574b4.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1810000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1870000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.17d0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1430000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.466a56f.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.46658d0.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.17a0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.1844c9f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.MSBuild.exe.30d3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_057D152A NtQuerySystemInformation,		12_2_057D152A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_057D14EF NtQuerySystemInformation,		12_2_057D14EF

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		1_2_004035D8
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		8_2_004035D8

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_00406C5B	1_2_00406C5B
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_00406C5B	8_2_00406C5B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A3850	12_2_056A3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056AAF78	12_2_056AAF78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A2FA8	12_2_056A2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A23A0	12_2_056A23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A86A8	12_2_056A86A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A92A8	12_2_056A92A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A306F	12_2_056A306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A936F	12_2_056A936F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_056A9B50	12_2_056A9B50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_06CD2E78	12_2_06CD2E78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_06CD2278	12_2_06CD2278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_06CD2F3F	12_2_06CD2F3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 17_2_00E52477	17_2_00E52477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 17_2_05040708	17_2_05040708
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 19_2_02D223A0	19_2_02D223A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 19_2_02D22FA8	19_2_02D22FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 19_2_02D23850	19_2_02D23850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 19_2_02D232BB	19_2_02D232BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 19_2_02D2306F	19_2_02D2306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 22_2_050D3850	22_2_050D3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 22_2_050D2FA8	22_2_050D2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 22_2_050D23A0	22_2_050D23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 22_2_050D306F	22_2_050D306F

Source: PAYMENT SLIP.exe, 00000001.00000003.656783504.00000000034BF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
Source: PAYMENT SLIP.exe, 00000006.00000003.682815519.000000000344F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
Source: PAYMENT SLIP.exe, 0000000A.00000003.708126945.0000000003246000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
Source: PAYMENT SLIP.exe, 00000014.00000003.740614200.00000000031E6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe

Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c473d7c4-8173-4cff-8fb5-dfc81a12600f}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: unknown	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'	Jump to behavior

Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_014C74AC push ecx; ret	12_2_014C74AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_014C74B8 push ebp; ret	12_2_014C74B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_014C9D58 pushad ; retf	12_2_014C9D59
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_014C9D54 push eax; retf	12_2_014C9D55
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_014C5CE6 push 00000005h; iretd	12_2_014C5CE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_06CD0E48 push ebx; retf	12_2_06CD0EB2

Analysis Report PAYMENT SLIP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	File created: C:\Users\user\AppData\Local\Temp\nsz6311.tmp\qm1tw12xr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	File created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	File created: C:\Users\user\AppData\Local\Temp\nsy2D8A.tmp\qm1tw12xr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	File created: C:\Users\user\AppData\Local\Temp\nsj3D87.tmp\qm1tw12xr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	File created: C:\Users\user\AppData\Local\Temp\nsiFB00.tmp\qm1tw12xr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	File created: C:\Users\user\AppData\Local\Temp\nsb1C63.tmp\qm1tw12xr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	File created: C:\Users\user\AppData\Local\Temp\nshD279.tmp\qm1tw12xr.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfx			Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfx			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe TID: 6140	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6524	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6652	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe TID: 6348	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 0000000C.00000002.910250249.000000000160F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_10001000 mov eax, dword ptr fs:[00000030h]	1_2_10001000
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_10001110 mov eax, dword ptr fs:[00000030h]	1_2_10001110
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_00B1218C mov eax, dword ptr fs:[00000030h]	1_2_00B1218C
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 1_2_00B12451 mov eax, dword ptr fs:[00000030h]	1_2_00B12451
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 6_2_0305218C mov eax, dword ptr fs:[00000030h]	6_2_0305218C
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 6_2_03052451 mov eax, dword ptr fs:[00000030h]	6_2_03052451
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_02F1218C mov eax, dword ptr fs:[00000030h]	8_2_02F1218C
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 8_2_02F12451 mov eax, dword ptr fs:[00000030h]	8_2_02F12451
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 10_2_023A2451 mov eax, dword ptr fs:[00000030h]	10_2_023A2451
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 10_2_023A218C mov eax, dword ptr fs:[00000030h]	10_2_023A218C
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 13_2_02F12451 mov eax, dword ptr fs:[00000030h]	13_2_02F12451
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Code function: 13_2_02F1218C mov eax, dword ptr fs:[00000030h]	13_2_02F1218C
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 20_2_022B218C mov eax, dword ptr fs:[00000030h]	20_2_022B218C
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Code function: 20_2_022B2451 mov eax, dword ptr fs:[00000030h]	20_2_022B2451

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 103E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: C0E008	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT SLIP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: A23008	Jump to behavior