Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT SLIP.exe

Overview

General Information

Sample Name:PAYMENT SLIP.exe
Analysis ID:412302
MD5:50c9d58f61950484825d85a9a1372a7d
SHA1:79df49a23af28b6322f1fa461167b1145fc927de
SHA256:80726d3e380e4a7d0d1eee7f352c4a319e70dd4355a1a4f02ab27babc1a13d15
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT SLIP.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
    • MSBuild.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
    • PAYMENT SLIP.exe (PID: 7116 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
      • MSBuild.exe (PID: 4228 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
      • PAYMENT SLIP.exe (PID: 5704 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
        • MSBuild.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
        • PAYMENT SLIP.exe (PID: 6900 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
          • MSBuild.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\PAYMENT SLIP.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
  • hmhrpib.exe (PID: 6024 cmdline: 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
    • MSBuild.exe (PID: 6372 cmdline: 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
      • schtasks.exe (PID: 6508 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • hmhrpib.exe (PID: 6376 cmdline: 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe' MD5: 50C9D58F61950484825D85A9A1372A7D)
    • MSBuild.exe (PID: 6940 cmdline: 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
  • MSBuild.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c473d7c4-8173-4cff-8fb5-dfc81a12", "Group": "sea", "Domain1": "seaudo.hopto.org", "Domain2": "23.254.130.71", "Port": 3030, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 92 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.PAYMENT SLIP.exe.3160000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      6.2.PAYMENT SLIP.exe.3160000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      6.2.PAYMENT SLIP.exe.3160000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        6.2.PAYMENT SLIP.exe.3160000.5.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 190 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6372, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6372, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6372, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6372, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c473d7c4-8173-4cff-8fb5-dfc81a12", "Group": "sea", "Domain1": "seaudo.hopto.org", "Domain2": "23.254.130.71", "Port": 3030, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeReversingLabs: Detection: 42%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: PAYMENT SLIP.exeJoe Sandbox ML: detected
        Source: 10.2.PAYMENT SLIP.exe.23e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 19.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 20.2.PAYMENT SLIP.exe.2f50000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 12.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.MSBuild.exe.4507ac8.19.unpackAvira: Label: TR/NanoCore.fadte
        Source: 12.2.MSBuild.exe.61a0000.33.unpackAvira: Label: TR/NanoCore.fadte
        Source: 1.2.PAYMENT SLIP.exe.3110000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 6.2.PAYMENT SLIP.exe.3060000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: PAYMENT SLIP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PAYMENT SLIP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Windows\System.pdboo source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: indows\symbols\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdbUGP source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb* source: MSBuild.exe, 0000000C.00000003.887823042.0000000001658000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: indows\System.pdbpdbtem.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: System.pdbX source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: MSBuild.exe, 0000000C.00000002.913261020.0000000005DA0000.00000002.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_0040689A FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00402902 FindFirstFileW,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_0040689A FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_00402902 FindFirstFileW,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then mov esp, ebp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4x nop then mov esp, ebp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 23.254.130.71:3030
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 23.254.130.71:3030
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: seaudo.hopto.org
        Source: Malware configuration extractorURLs: 23.254.130.71
        Source: global trafficTCP traffic: 192.168.2.4:49745 -> 23.254.130.71:3030
        Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 13.224.186.242
        Source: unknownTCP traffic detected without corresponding DNS query: 216.58.215.238
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.205
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.168.67
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.225
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.23.42
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 184.30.25.218
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.16.131
        Source: unknownTCP traffic detected without corresponding DNS query: 172.217.22.227
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.68
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.68
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.138
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D2CF6 WSARecv,
        Source: unknownDNS traffic detected: queries for: seaudo.hopto.org
        Source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: PAYMENT SLIP.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: MSBuild.exe, 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.48f0272.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.48632ce.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.2f33c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.46658d0.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.184e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1840000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3524cf0.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.46574b4.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.48f4f11.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17e0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.48f0272.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.34b12fc.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1810000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1430000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1870000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1450000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.5810000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.48e703e.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.1420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.17f0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.1830000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.1420000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1840000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.48e703e.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1830000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.48632ce.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17a0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3530f30.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.46574b4.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1810000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1870000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.17d0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1430000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.466a56f.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.46658d0.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.17a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.1844c9f.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 19.2.MSBuild.exe.30d3c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: PAYMENT SLIP.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PAYMENT SLIP.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D152A NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D14EF NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00406C5B
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_00406C5B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056AAF78
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A86A8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A92A8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A936F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_056A9B50
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_06CD2E78
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_06CD2278
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_06CD2F3F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 17_2_00E52477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 17_2_05040708
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 19_2_02D223A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 19_2_02D22FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 19_2_02D23850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 19_2_02D232BB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 19_2_02D2306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 22_2_050D3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 22_2_050D2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 22_2_050D23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 22_2_050D306F
        Source: PAYMENT SLIP.exe, 00000001.00000003.656783504.00000000034BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
        Source: PAYMENT SLIP.exe, 00000006.00000003.682815519.000000000344F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
        Source: PAYMENT SLIP.exe, 0000000A.00000003.708126945.0000000003246000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
        Source: PAYMENT SLIP.exe, 00000014.00000003.740614200.00000000031E6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SLIP.exe
        Source: PAYMENT SLIP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.48f0272.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48f0272.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.48632ce.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48632ce.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.2f33c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.2f33c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.46658d0.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.46658d0.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.184e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.184e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1840000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1840000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.3524cf0.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.3524cf0.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.46574b4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.46574b4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.48f4f11.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48f4f11.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17e0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17e0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.48f0272.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48f0272.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.34b12fc.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.34b12fc.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1810000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1810000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1430000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1430000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1870000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1870000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1450000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1450000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.5810000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.5810000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.48e703e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48e703e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.1420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.17f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17f0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.1830000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1830000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.1420000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1420000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1840000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1840000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.48e703e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48e703e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1830000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1830000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.48632ce.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.48632ce.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.3530f30.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.3530f30.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.46574b4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.46574b4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1810000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1810000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.3530f30.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1870000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1870000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17c0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.3545564.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.17d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17d0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1430000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1430000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.3524cf0.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.466a56f.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.466a56f.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.46658d0.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.46658d0.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.17a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.17a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.1844c9f.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.1844c9f.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 19.2.MSBuild.exe.30d3c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 19.2.MSBuild.exe.30d3c74.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: MSBuild.exe, 00000011.00000002.714864522.0000000002E71000.00000004.00000001.sdmpBinary or memory string: *.sln
        Source: classification engineClassification label: mal100.troj.evad.winEXE@26/31@17/1
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D12EA AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D12B3 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_004021A2 CoCreateInstance,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Roaming\tteegmiuoefsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c473d7c4-8173-4cff-8fb5-dfc81a12600f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Local\Temp\nsmD248.tmpJump to behavior
        Source: PAYMENT SLIP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile read: C:\Users\user\Desktop\PAYMENT SLIP.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Users\user\Desktop\PAYMENT SLIP.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: PAYMENT SLIP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Windows\System.pdboo source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: indows\symbols\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\dll\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdbUGP source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb* source: MSBuild.exe, 0000000C.00000003.887823042.0000000001658000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: PAYMENT SLIP.exe, 00000001.00000003.657311903.0000000003210000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000006.00000003.682894509.00000000031A0000.00000004.00000001.sdmp, hmhrpib.exe, 00000008.00000003.698726945.0000000002FB0000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 0000000A.00000003.710544371.00000000032C0000.00000004.00000001.sdmp, hmhrpib.exe, 0000000D.00000003.715127820.0000000002F70000.00000004.00000001.sdmp, PAYMENT SLIP.exe, 00000014.00000003.735577807.0000000003090000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: indows\System.pdbpdbtem.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: System.pdbX source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: MSBuild.exe, 0000000C.00000002.910679793.0000000003156000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: MSBuild.exe, 0000000C.00000002.913261020.0000000005DA0000.00000002.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_014C74AC push ecx; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_014C74B8 push ebp; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_014C9D58 pushad ; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_014C9D54 push eax; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_014C5CE6 push 00000005h; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_06CD0E48 push ebx; retf
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 19.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Local\Temp\nsz6311.tmp\qm1tw12xr.dllJump to dropped file
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeJump to dropped file
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Local\Temp\nsy2D8A.tmp\qm1tw12xr.dllJump to dropped file
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3D87.tmp\qm1tw12xr.dllJump to dropped file
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Local\Temp\nsiFB00.tmp\qm1tw12xr.dllJump to dropped file
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeFile created: C:\Users\user\AppData\Local\Temp\nsb1C63.tmp\qm1tw12xr.dllJump to dropped file
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile created: C:\Users\user\AppData\Local\Temp\nshD279.tmp\qm1tw12xr.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfxJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfxJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 755
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe TID: 6140Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6524Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6652Thread sleep time: -340000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe TID: 6348Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6956Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7000Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7048Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_0040689A FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00402902 FindFirstFileW,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_0040689A FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_00402902 FindFirstFileW,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D1012 GetSystemInfo,
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeThread delayed: delay time: 30000
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeThread delayed: delay time: 30000
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: MSBuild.exe, 0000000C.00000002.910250249.000000000160F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: MSBuild.exe, 0000000C.00000002.913661649.0000000006050000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_10001000 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_10001110 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00B1218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_00B12451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 6_2_0305218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 6_2_03052451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_02F1218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 8_2_02F12451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 10_2_023A2451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 10_2_023A218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 13_2_02F12451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeCode function: 13_2_02F1218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 20_2_022B218C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 20_2_022B2451 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 103E008
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: C0E008
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: A23008
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
        Source: C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\PAYMENT SLIP.exe'
        Source: MSBuild.exe, 0000000C.00000002.910250249.000000000160F000.00000004.00000020.sdmpBinary or memory string: Program Manager (IKEv2){DD7E8301-7047-4E86-A635-691AFA4197AE}y
        Source: MSBuild.exe, 0000000C.00000002.911166486.00000000036CA000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: MSBuild.exe, 0000000C.00000002.910582114.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: MSBuild.exe, 0000000C.00000002.910582114.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: MSBuild.exe, 0000000C.00000002.910250249.000000000160F000.00000004.00000020.sdmpBinary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: MSBuild.exe, 0000000C.00000002.910582114.0000000001C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmpBinary or memory string: Program Managerr
        Source: MSBuild.exe, 0000000C.00000002.910278193.0000000001648000.00000004.00000020.sdmpBinary or memory string: Program Manager<
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT SLIP.exeCode function: 1_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PAYMENT SLIP.exe, 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT SLIP.exe, 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: hmhrpib.exe, 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PAYMENT SLIP.exe, 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 0000000C.00000002.910952264.00000000034A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: MSBuild.exe, 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: MSBuild.exe, 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: MSBuild.exe, 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: hmhrpib.exe, 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: PAYMENT SLIP.exe, 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 5704, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6948, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6804, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6376, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: hmhrpib.exe PID: 6024, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6940, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT SLIP.exe PID: 6900, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6372, type: MEMORY
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.450c0f1.20.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.PAYMENT SLIP.exe.24e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.PAYMENT SLIP.exe.3160000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.PAYMENT SLIP.exe.3050000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.hmhrpib.exe.2f30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40feae4.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.4507ac8.19.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f59cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.40f9cae.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f6310d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.MSBuild.exe.3f5eae4.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a4629.32.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.61a0000.33.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.PAYMENT SLIP.exe.2400000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.MSBuild.exe.410310d.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.hmhrpib.exe.2f30000.4.raw.unpack, type: UNPACKEDPE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D283A bind,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057D27E8 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11File and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery15Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery111SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion31SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 412302 Sample: PAYMENT SLIP.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 8 other signatures 2->75 9 hmhrpib.exe 17 2->9         started        13 PAYMENT SLIP.exe 1 21 2->13         started        15 hmhrpib.exe 17 2->15         started        17 MSBuild.exe 4 2->17         started        process3 file4 57 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 9->57 dropped 81 Multi AV Scanner detection for dropped file 9->81 83 Machine Learning detection for dropped file 9->83 85 Writes to foreign memory regions 9->85 19 MSBuild.exe 11 9->19         started        59 C:\Users\user\AppData\Roaming\...\hmhrpib.exe, PE32 13->59 dropped 61 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 13->61 dropped 24 PAYMENT SLIP.exe 18 13->24         started        26 MSBuild.exe 13->26         started        63 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 15->63 dropped 87 Maps a DLL or memory area into another process 15->87 28 MSBuild.exe 2 15->28         started        30 conhost.exe 17->30         started        signatures5 process6 dnsIp7 67 seaudo.hopto.org 23.254.130.71, 3030, 49745, 49746 HOSTWINDSUS United States 19->67 51 C:\Users\user\AppData\Roaming\...\run.dat, International 19->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3E70.tmp, XML 19->53 dropped 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->77 32 schtasks.exe 1 19->32         started        55 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 24->55 dropped 34 PAYMENT SLIP.exe 18 24->34         started        37 MSBuild.exe 24->37         started        79 Uses schtasks.exe or at.exe to add and modify task schedules 26->79 file8 signatures9 process10 file11 39 conhost.exe 32->39         started        49 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 34->49 dropped 41 PAYMENT SLIP.exe 18 34->41         started        45 MSBuild.exe 34->45         started        process12 file13 65 C:\Users\user\AppData\Local\...\qm1tw12xr.dll, PE32 41->65 dropped 89 Writes to foreign memory regions 41->89 91 Maps a DLL or memory area into another process 41->91 47 MSBuild.exe 41->47         started        signatures14 process15

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PAYMENT SLIP.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe43%ReversingLabsWin32.Backdoor.Androm

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        10.2.PAYMENT SLIP.exe.23e0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        19.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        20.2.PAYMENT SLIP.exe.2f50000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        12.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.MSBuild.exe.4507ac8.19.unpack100%AviraTR/NanoCore.fadteDownload File
        12.2.MSBuild.exe.61a0000.33.unpack100%AviraTR/NanoCore.fadteDownload File
        1.2.PAYMENT SLIP.exe.3110000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        6.2.PAYMENT SLIP.exe.3060000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        23.254.130.711%VirustotalBrowse
        23.254.130.710%Avira URL Cloudsafe
        seaudo.hopto.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        seaudo.hopto.org
        		23.254.130.71
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          23.254.130.71true
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          seaudo.hopto.orgtrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorErrorPAYMENT SLIP.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            23.254.130.71
            		seaudo.hopto.orgUnited States
            		54290HOSTWINDSUStrue

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:412302
            Start date:12.05.2021
            Start time:15:40:17
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 18s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:PAYMENT SLIP.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@26/31@17/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 54.1% (good quality ratio 52.4%)
            • Quality average: 85.9%
            • Quality standard deviation: 23.7%
            HCA Information:
            • Successful, ratio: 94%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 92.122.145.220, 13.88.21.125, 104.42.151.234, 20.82.209.183, 8.241.78.254, 67.26.73.254, 8.241.90.254, 8.241.83.126, 8.241.126.249, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.82.210.154
            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:41:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfx C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            15:41:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jnckjcfx C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            15:41:28API Interceptor2x Sleep call for process: hmhrpib.exe modified
            15:41:32API Interceptor752x Sleep call for process: MSBuild.exe modified
            15:41:34Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            HOSTWINDSUS210503_McDermott_NFE_RFQ.exeGet hashmaliciousBrowse
            • 104.168.175.179
            ATT82166.HTMGet hashmaliciousBrowse
            • 23.254.226.43
            H8iVAWlIfH.exeGet hashmaliciousBrowse
            • 23.254.224.129
            PO.exeGet hashmaliciousBrowse
            • 104.168.175.179
            ATT81583.HTMGet hashmaliciousBrowse
            • 23.254.226.43
            DQhf1tNmwkbpjig.exeGet hashmaliciousBrowse
            • 104.168.175.179
            PO.exeGet hashmaliciousBrowse
            • 104.168.175.179
            quote.exeGet hashmaliciousBrowse
            • 104.168.175.179
            List.exeGet hashmaliciousBrowse
            • 104.168.175.179
            PURCHASE.exeGet hashmaliciousBrowse
            • 104.168.175.179
            b0YXIQaXcjPgzWg.exeGet hashmaliciousBrowse
            • 104.168.175.179
            SAMSUNG gFLNG FEED Update RFQ Documents and C.exeGet hashmaliciousBrowse
            • 104.168.175.179
            cvhost.exeGet hashmaliciousBrowse
            • 192.236.147.83
            cvhost.exeGet hashmaliciousBrowse
            • 192.236.147.83
            SecuriteInfo.com.W32.AIDetect.malware1.9937.exeGet hashmaliciousBrowse
            • 192.236.147.83
            SecuriteInfo.com.W32.AIDetect.malware1.32629.exeGet hashmaliciousBrowse
            • 192.236.147.83
            PROJECT_EB200_RFQ_ITEMS_DOCUMENTS.pdf.exeGet hashmaliciousBrowse
            • 104.168.175.179
            RFQ-EB200-PLOO1_Bidding.pdf.exeGet hashmaliciousBrowse
            • 104.168.175.179
            po.exeGet hashmaliciousBrowse
            • 104.168.175.179
            f5WPatHVT0.exeGet hashmaliciousBrowse
            • 192.236.147.83

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):325
            Entropy (8bit):5.334380084018418
            Encrypted:false
            SSDEEP:6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
            MD5:65CE98936A67552310EFE2F0FF5BDF88
            SHA1:8133653A6B9A169C7496ADE315CED322CFC3613A
            SHA-256:682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
            SHA-512:2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
            C:\Users\user\AppData\Local\Temp\nsb1C63.tmp\qm1tw12xr.dll
            Process:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsd2D5A.tmp
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nshD279.tmp\qm1tw12xr.dll
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsiFB00.tmp\qm1tw12xr.dll
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsj3D87.tmp\qm1tw12xr.dll
            Process:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsj62B2.tmp
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsmD249.tmp
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsnFAD0.tmp
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsq1C23.tmp
            Process:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsy2D8A.tmp\qm1tw12xr.dll
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsz3D48.tmp
            Process:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            File Type:data
            Category:dropped
            Size (bytes):227087
            Entropy (8bit):7.939223952673508
            Encrypted:false
            SSDEEP:6144:J7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1T:qOnSY3A807r8AZFz1UN
            MD5:DC0CB7051E536384DE28ED52AB92EA19
            SHA1:D145293DEE4F6A963FE964B44CB791F599265B52
            SHA-256:7180220E08967228A453E1076EFDEB42589456E4CB6F1D5C8F5765F1994A179C
            SHA-512:DD189821102FE517D24541F9D34C77F4210802B7B3FD089D0AA28090DFF719676325A8F886209B3CEE48AEA6149A67A4EC4C3C97E252EA7336F9E8EF4E36CD5E
            Malicious:false
            Preview: ........,.......................d.......4...................................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\nsz6311.tmp\qm1tw12xr.dll
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):4608
            Entropy (8bit):3.7496483038392974
            Encrypted:false
            SSDEEP:48:Sa/T+kBvwunRLZ6AL0rpRVaS53RS9BNZYWrTZxZ4Vo:+kBvFLgALER8S53RS9dtng
            MD5:EE2F349BA112FE569BD9AB1368E65791
            SHA1:9CEB495D81A804E604111D98C1169B4A9B640510
            SHA-256:5A97B6F5313D875AE40429BB27D486F7B745EEFDF5C116E434DC08770923FA9F
            SHA-512:D4CD1A797307B4FC4D9C3E80979BDDE682F64931FCF6D9CFCAE333646A242C143C2F77D2D6A80E01452A614E7981339E7E17580871B48518DC71A58339970B64
            Malicious:false
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L.....`...........!......................... ...............................@.......................................%..K.... ....................................................................................... ...............................text............................... ..`.rdata..+.... ......................@..@.data...&....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\p7nih0ok4yeyw5j9l
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):9733
            Entropy (8bit):7.976610510872038
            Encrypted:false
            SSDEEP:192:ttSk8it38myV0RlyqF61GDX8uuU078l07Ie73nOblxXLz7gUZW3E:/+UMmlzdjsv7CMz3ALzUl0
            MD5:B312481DDB4D93F427F4BFE952EC032F
            SHA1:A035A4ABF6D941F61F1427791B0121A4B400DB20
            SHA-256:E49684274A30B245C813044704EC5E9F4EB63163B6F0D18A969F5EC455240A2E
            SHA-512:E7697534D567B978BF4AD8AB015B3EA0CD39DC9A7EBF0DC77AF01075B797696895A8A4D5D52F834EC60DB877230353C99A7CD732AF023120079F1D3A889F513C
            Malicious:false
            Preview: )....... ....=...A.*.......itE eJyOy....1..q.n.*...u..=!{~.....Z#..R....{..Up....54o.........$.../2e..<._j....0.J1m.z;>.N....t...\ev....FI.....x.t7......!b.......[!$'....1,U..T.g.cP[.... ..!^.I.-...8...Dx{~..e.~69.J...w...w..x..2..X...&._+...#.~...%......S.._=@..........z'.K..hkn.z.\zu....9.3j."G.z...%..svIE.?..N.....Hmt..6...QN...0-0S.|...X.a../;f....,5.M......=.[G..DG*..r..q.be...0.T..psv....B}...%B....*...B.:..-I...P.t..W.....f6......|....8..4..H.aI....._.vD.....s.....^a..*l"......Oz.......~.....9<?..%.ID...l.|C..s....7..8v.r...Uj...k....=D..eOR...[.......O.iP..Y[^.mz.>.7SBY....4....5.e..+.c./........:&^...)*m.hu..t..8^3*..buvy.C.8%..$%(E....-.ABE...d0L.OPS..._ZK.....9...{|...........K.d......T....2...v.....l...#o%c.....}T!...........>?B..(..GUklo....v...:7.ky............4=D.\.H.B9V.Z=..N[.[R.l.,.........sG}.....<._.o...(T..,K.M.eAQP......%..........,..K.2......<.$.....:.....&'*.F.../`ST....f........a.......;....}~...h@-.H...M...;.
            C:\Users\user\AppData\Local\Temp\tmp3E70.tmp
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1320
            Entropy (8bit):5.136963558289723
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
            MD5:AE766004C0D8792953BAFFFE8F6A2E3B
            SHA1:14B12F27543A401E2FE0AF8052E116CAB0032426
            SHA-256:1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
            SHA-512:E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
            Malicious:true
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Local\Temp\yj86kat5ru4v3qtvudmb
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:data
            Category:dropped
            Size (bytes):207872
            Entropy (8bit):7.998917498661265
            Encrypted:true
            SSDEEP:6144:j7IDzCvnAXYv/i/8bA7r8ePZFz1Yxp1TN:cOnSY3A807r8AZFz1UNN
            MD5:C9F8BAE9DBB880A3C8D3100855E94065
            SHA1:2F66D8691CD7E33C7F5026DD7DB102FAFD664C7B
            SHA-256:913B0E52C651B9BE1F4FA52EFCBC9FBE6471B805A9AD27D8DDC6FB5286D330E6
            SHA-512:797E0D7E5D502332A049816F1AAE2C17060698C11432C0639079D0F16C7C2DB3F9B3A9F07A101729723C621A8A3D96972A164768126990A73FF0D01DC255EA6C
            Malicious:false
            Preview: VG$....(.Y..e.C.6J.........Q..=.42..(..| >.`4...d......S+v._."......o./e.S......y7....J.Y.n3.?..hu..n.GB3.5YND...1.Z..p.h5.5...or."R..:.;.o.-.&5.W...VG.yX.+.PM...J....B....R.b....H?.l.......{.......N*.v...... .....o:..........qr...y....p~....yP.Y..d\.n.._..!...IE.VI*.....{v..>.%%...L..;^.(l8......jY..)..9Gw...S...7e........JLC...{...|XA.u.|.......I..\T.#........Zq..=.z.w.L;......../..R.%%7.jl.|C..jb..;ZcS..t..Gv..0.BK.|H.........q...7j..C.3?.6..b......D...G>...\FSX,.\9.|=.....AY..N.........Ir.R....9...K...,.<....;@aQpL....V.#.iU......q.z..F8.p5E..8.i........z%.T.P....,xv....z..WV..e..s....WB....B5....[....:d.=.V.P&7:....E......N.?.-..Ol..E....k.......j.[v..[..i..<3.A.....(-.a..Tq&..b.c)..=wFim..r.a.h.<..~..@P....4.t....5n..>...8....1.....q.P ...........6..w..2.Z~.vv.......:.I_m~V$..8S..Ce.g.$z.n....y... &.%'J.....A.....m.=:D[L..O..7....o.....N...b..F.P@.'..Mq@....].A'",'.zyP=....o.v.S...........`;.4.xZH.-7..h.J/....Pt........qT...
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:data
            Category:dropped
            Size (bytes):1856
            Entropy (8bit):7.089541637477408
            Encrypted:false
            SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
            MD5:30D23CC577A89146961915B57F408623
            SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
            SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
            SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
            Malicious:false
            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:International EBCDIC text, with NEL line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:bAt:U
            MD5:C2A50EDC6F6D3A2C5183544FFC6B36FE
            SHA1:41213577BDE2E7AD795F79D2747EA7B4FEBE44B7
            SHA-256:1105EDFF279035C252F149FAD0058E533177E1C4CD1525278187C168572D8A9B
            SHA-512:01C57FEEAE764B4541AF6078BFDB3C2C4599DC2E2063279507AA84B7C0DB11771E504A6437A8848B0EF30AB8BA3D2A10A4E06C4354DF8184BD8C6156E1413FCC
            Malicious:true
            Preview: \N..K..H
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):57
            Entropy (8bit):4.85263908467479
            Encrypted:false
            SSDEEP:3:oMty8WbSI1u:oMLWuI1u
            MD5:A35128E4E28B27328F70E4E8FF482443
            SHA1:B89066B2F8DB34299AABFD7ABEE402D5444DD079
            SHA-256:88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
            SHA-512:F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
            Malicious:false
            Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            Process:C:\Users\user\Desktop\PAYMENT SLIP.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Category:dropped
            Size (bytes):259286
            Entropy (8bit):7.914777825531565
            Encrypted:false
            SSDEEP:6144:kgORaiLT/dr9odWD2AHR5onxnn/UHDV8m0RjPwCytV:kgmLT/vodYR5gnn/i0RjPjc
            MD5:50C9D58F61950484825D85A9A1372A7D
            SHA1:79DF49A23AF28B6322F1FA461167B1145FC927DE
            SHA-256:80726D3E380E4A7D0D1EEE7F352C4A319E70DD4355A1A4F02AB27BABC1A13D15
            SHA-512:AC470694F9CA70CF8EB1A87604AE03E9F521FA413AA2D78F411AF4B7F60BC8CF346C2C69F30E083AA6F34E32041012F295DCF6BDAD378E1A2A8CD6D2E9FC066D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 43%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.......5............@.......................................@.............................................P............................................................................................................text...re.......f.................. ..`.rdata...............j..............@..@.data...x............~..............@....ndata...................................rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................
            \Device\ConDrv
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):235
            Entropy (8bit):5.107306146099542
            Encrypted:false
            SSDEEP:6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFPRAgRYan:zK1XnV30ZsGMIG9BFRbQ5AUYan
            MD5:67DDD8252A246E7B14649B0063E351C0
            SHA1:AAE1C6839D1CC4A626D0FB2D4773823AD209FA17
            SHA-256:24C8283BA3F7FCA2E4CEF6F141263DD1E8A36E5A5CD96A97BFE83525D7663116
            SHA-512:326A5E0A440F60D4808C91499F1F3616C496B67DC053B4A2A40B0FE09002074AE5365018781F8746E98E7E3CFCD35F1310D17FB7C2138A8157318E6791987025
            Malicious:false
            Preview: Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1009: Project file does not exist...Switch: 0..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):7.914777825531565
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:PAYMENT SLIP.exe
            File size:259286
            MD5:50c9d58f61950484825d85a9a1372a7d
            SHA1:79df49a23af28b6322f1fa461167b1145fc927de
            SHA256:80726d3e380e4a7d0d1eee7f352c4a319e70dd4355a1a4f02ab27babc1a13d15
            SHA512:ac470694f9ca70cf8eb1a87604ae03e9f521fa413aa2d78f411af4b7f60bc8cf346c2c69f30e083aa6f34e32041012f295dcf6bdad378e1a2a8cd6d2e9fc066d
            SSDEEP:6144:kgORaiLT/dr9odWD2AHR5onxnn/UHDV8m0RjPwCytV:kgmLT/vodYR5gnn/i0RjPjc
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.....

            File Icon

            Icon Hash:b2a88c96b2ca6a72

            Static PE Info

            General

            Entrypoint:0x4035d8
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5F24D702 [Sat Aug 1 02:44:18 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:c05041e01f84e1ccca9c4451f3b6a383

            Entrypoint Preview

            Instruction
            sub esp, 000002D4h
            push ebx
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebx, ebx
            push 00008001h
            mov dword ptr [esp+14h], ebx
            mov dword ptr [esp+10h], 0040A230h
            mov dword ptr [esp+1Ch], ebx
            call dword ptr [004080C8h]
            call dword ptr [004080CCh]
            and eax, BFFFFFFFh
            cmp ax, 00000006h
            mov dword ptr [0042A26Ch], eax
            je 00007FBFD4F753F3h
            push ebx
            call 00007FBFD4F786F9h
            cmp eax, ebx
            je 00007FBFD4F753E9h
            push 00000C00h
            call eax
            mov esi, 004082B0h
            push esi
            call 00007FBFD4F78673h
            push esi
            call dword ptr [00408154h]
            lea esi, dword ptr [esi+eax+01h]
            cmp byte ptr [esi], 00000000h
            jne 00007FBFD4F753CCh
            push 0000000Bh
            call 00007FBFD4F786CCh
            push 00000009h
            call 00007FBFD4F786C5h
            push 00000007h
            mov dword ptr [0042A264h], eax
            call 00007FBFD4F786B9h
            cmp eax, ebx
            je 00007FBFD4F753F1h
            push 0000001Eh
            call eax
            test eax, eax
            je 00007FBFD4F753E9h
            or byte ptr [0042A26Fh], 00000040h
            push ebp
            call dword ptr [00408038h]
            push ebx
            call dword ptr [00408298h]
            mov dword ptr [0042A338h], eax
            push ebx
            lea eax, dword ptr [esp+34h]
            push 000002B4h
            push eax
            push ebx
            push 00421708h
            call dword ptr [0040818Ch]
            push 0040A384h

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xa50.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x65720x6600False0.662300857843data6.45391938596IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x80000x13980x1400False0.449609375data5.13671758274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x203780x600False0.5078125data4.09680908363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x3b0000xa500xc00False0.402994791667data4.18988587465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x3b1900x2e8dataEnglishUnited States
            RT_DIALOG0x3b4780x100dataEnglishUnited States
            RT_DIALOG0x3b5780x11cdataEnglishUnited States
            RT_DIALOG0x3b6980x60dataEnglishUnited States
            RT_GROUP_ICON0x3b6f80x14dataEnglishUnited States
            RT_MANIFEST0x3b7100x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

            Imports

            DLLImport
            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            05/12/21-15:41:34.548350TCP2025019ET TROJAN Possible NanoCore C2 60B497453030192.168.2.423.254.130.71
            05/12/21-15:41:41.843567TCP2025019ET TROJAN Possible NanoCore C2 60B497463030192.168.2.423.254.130.71
            05/12/21-15:41:46.571158TCP2025019ET TROJAN Possible NanoCore C2 60B497473030192.168.2.423.254.130.71
            05/12/21-15:41:51.395995TCP2025019ET TROJAN Possible NanoCore C2 60B497483030192.168.2.423.254.130.71
            05/12/21-15:41:56.069794TCP2025019ET TROJAN Possible NanoCore C2 60B497503030192.168.2.423.254.130.71
            05/12/21-15:42:00.757206TCP2025019ET TROJAN Possible NanoCore C2 60B497553030192.168.2.423.254.130.71
            05/12/21-15:42:05.426115TCP2025019ET TROJAN Possible NanoCore C2 60B497633030192.168.2.423.254.130.71
            05/12/21-15:42:11.653205TCP2025019ET TROJAN Possible NanoCore C2 60B497693030192.168.2.423.254.130.71
            05/12/21-15:42:19.087468TCP2025019ET TROJAN Possible NanoCore C2 60B497703030192.168.2.423.254.130.71
            05/12/21-15:42:25.331297TCP2025019ET TROJAN Possible NanoCore C2 60B497713030192.168.2.423.254.130.71
            05/12/21-15:42:31.561598TCP2025019ET TROJAN Possible NanoCore C2 60B497723030192.168.2.423.254.130.71
            05/12/21-15:42:38.561876TCP2025019ET TROJAN Possible NanoCore C2 60B497733030192.168.2.423.254.130.71
            05/12/21-15:42:44.823846TCP2025019ET TROJAN Possible NanoCore C2 60B497773030192.168.2.423.254.130.71
            05/12/21-15:42:49.508873TCP2025019ET TROJAN Possible NanoCore C2 60B497783030192.168.2.423.254.130.71
            05/12/21-15:42:54.396373TCP2025019ET TROJAN Possible NanoCore C2 60B497793030192.168.2.423.254.130.71
            05/12/21-15:43:02.640724TCP2025019ET TROJAN Possible NanoCore C2 60B497803030192.168.2.423.254.130.71
            05/12/21-15:43:07.360825TCP2025019ET TROJAN Possible NanoCore C2 60B497813030192.168.2.423.254.130.71

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 12, 2021 15:40:56.026963949 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.064064026 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065521002 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065541983 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065642118 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065640926 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.065661907 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065673113 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.065677881 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065696001 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.065700054 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.065723896 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.065773010 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.376399994 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.379153013 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.379416943 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.411833048 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.413743019 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.413815022 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.413839102 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.413873911 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.414469004 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.414696932 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.414761066 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.414896965 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.449836969 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.460462093 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.460480928 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:56.460618019 CEST49717443192.168.2.4204.79.197.200
            May 12, 2021 15:40:56.485332012 CEST44349717204.79.197.200192.168.2.4
            May 12, 2021 15:40:58.139776945 CEST4970880192.168.2.493.184.220.29
            May 12, 2021 15:41:20.264144897 CEST804974313.224.186.242192.168.2.4
            May 12, 2021 15:41:20.264288902 CEST4974380192.168.2.413.224.186.242
            May 12, 2021 15:41:20.815228939 CEST44349745216.58.215.238192.168.2.4
            May 12, 2021 15:41:20.815392017 CEST49745443192.168.2.4216.58.215.238
            May 12, 2021 15:41:20.819276094 CEST44349741142.250.185.205192.168.2.4
            May 12, 2021 15:41:20.819477081 CEST49741443192.168.2.4142.250.185.205
            May 12, 2021 15:41:20.842755079 CEST44349742172.217.168.67192.168.2.4
            May 12, 2021 15:41:20.842927933 CEST49742443192.168.2.4172.217.168.67
            May 12, 2021 15:41:26.463403940 CEST44349758142.250.185.225192.168.2.4
            May 12, 2021 15:41:26.463473082 CEST49758443192.168.2.4142.250.185.225
            May 12, 2021 15:41:27.048073053 CEST49683443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.048115969 CEST49683443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.051733017 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.051822901 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.110873938 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.110907078 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.114084959 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.114109039 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.154938936 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258677959 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258714914 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258738041 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258750916 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.258759975 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258780003 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258791924 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.258802891 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258830070 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258837938 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.258855104 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258876085 CEST4434968220.190.159.138192.168.2.4
            May 12, 2021 15:41:27.258924007 CEST49682443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.264658928 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264698029 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264713049 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264730930 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264749050 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264765024 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264785051 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264802933 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264818907 CEST4434968320.190.159.138192.168.2.4
            May 12, 2021 15:41:27.264822006 CEST49683443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.264858007 CEST49683443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.307136059 CEST49683443192.168.2.420.190.159.138
            May 12, 2021 15:41:27.913104057 CEST44349763172.217.23.42192.168.2.4
            May 12, 2021 15:41:27.913273096 CEST49763443192.168.2.4172.217.23.42
            May 12, 2021 15:41:34.330414057 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:34.497849941 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:34.498466969 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:34.548350096 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:34.735836029 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:34.736342907 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:34.945247889 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:34.949302912 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:35.118865967 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.119357109 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:35.347301006 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.347610950 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:35.570543051 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.570683002 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:35.787461042 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.787610054 CEST497453030192.168.2.423.254.130.71
            May 12, 2021 15:41:35.840923071 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.840960026 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.840970993 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.840996027 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.841013908 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.841029882 CEST30304974523.254.130.71192.168.2.4
            May 12, 2021 15:41:35.841052055 CEST30304974523.254.130.71192.168.2.4

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 12, 2021 15:40:56.365001917 CEST5453153192.168.2.48.8.8.8
            May 12, 2021 15:40:56.413590908 CEST53545318.8.8.8192.168.2.4
            May 12, 2021 15:40:57.462188005 CEST4971453192.168.2.48.8.8.8
            May 12, 2021 15:40:57.510945082 CEST53497148.8.8.8192.168.2.4
            May 12, 2021 15:40:58.096000910 CEST5802853192.168.2.48.8.8.8
            May 12, 2021 15:40:58.155076981 CEST53580288.8.8.8192.168.2.4
            May 12, 2021 15:40:58.895443916 CEST5309753192.168.2.48.8.8.8
            May 12, 2021 15:40:58.944289923 CEST53530978.8.8.8192.168.2.4
            May 12, 2021 15:40:59.821526051 CEST4925753192.168.2.48.8.8.8
            May 12, 2021 15:40:59.873083115 CEST53492578.8.8.8192.168.2.4
            May 12, 2021 15:41:01.446532011 CEST6238953192.168.2.48.8.8.8
            May 12, 2021 15:41:01.498163939 CEST53623898.8.8.8192.168.2.4
            May 12, 2021 15:41:02.455862045 CEST4991053192.168.2.48.8.8.8
            May 12, 2021 15:41:02.507606030 CEST53499108.8.8.8192.168.2.4
            May 12, 2021 15:41:03.504097939 CEST5585453192.168.2.48.8.8.8
            May 12, 2021 15:41:03.556497097 CEST53558548.8.8.8192.168.2.4
            May 12, 2021 15:41:08.438261032 CEST6454953192.168.2.48.8.8.8
            May 12, 2021 15:41:08.490040064 CEST53645498.8.8.8192.168.2.4
            May 12, 2021 15:41:09.995616913 CEST6315353192.168.2.48.8.8.8
            May 12, 2021 15:41:10.046076059 CEST53631538.8.8.8192.168.2.4
            May 12, 2021 15:41:11.000562906 CEST5299153192.168.2.48.8.8.8
            May 12, 2021 15:41:11.078963041 CEST53529918.8.8.8192.168.2.4
            May 12, 2021 15:41:12.131509066 CEST5370053192.168.2.48.8.8.8
            May 12, 2021 15:41:12.180249929 CEST53537008.8.8.8192.168.2.4
            May 12, 2021 15:41:13.211496115 CEST5172653192.168.2.48.8.8.8
            May 12, 2021 15:41:13.260318995 CEST53517268.8.8.8192.168.2.4
            May 12, 2021 15:41:14.317698002 CEST5679453192.168.2.48.8.8.8
            May 12, 2021 15:41:14.366503000 CEST53567948.8.8.8192.168.2.4
            May 12, 2021 15:41:23.708602905 CEST5653453192.168.2.48.8.8.8
            May 12, 2021 15:41:23.762186050 CEST53565348.8.8.8192.168.2.4
            May 12, 2021 15:41:24.810179949 CEST5662753192.168.2.48.8.8.8
            May 12, 2021 15:41:24.858977079 CEST53566278.8.8.8192.168.2.4
            May 12, 2021 15:41:26.637279987 CEST5662153192.168.2.48.8.8.8
            May 12, 2021 15:41:26.686199903 CEST53566218.8.8.8192.168.2.4
            May 12, 2021 15:41:27.852693081 CEST6311653192.168.2.48.8.8.8
            May 12, 2021 15:41:27.904263973 CEST53631168.8.8.8192.168.2.4
            May 12, 2021 15:41:27.915894985 CEST6407853192.168.2.48.8.8.8
            May 12, 2021 15:41:27.975853920 CEST53640788.8.8.8192.168.2.4
            May 12, 2021 15:41:29.517250061 CEST6480153192.168.2.48.8.8.8
            May 12, 2021 15:41:29.566082001 CEST53648018.8.8.8192.168.2.4
            May 12, 2021 15:41:30.614928961 CEST6172153192.168.2.48.8.8.8
            May 12, 2021 15:41:30.665735960 CEST53617218.8.8.8192.168.2.4
            May 12, 2021 15:41:34.259408951 CEST5125553192.168.2.48.8.8.8
            May 12, 2021 15:41:34.319515944 CEST53512558.8.8.8192.168.2.4
            May 12, 2021 15:41:41.593622923 CEST6152253192.168.2.48.8.8.8
            May 12, 2021 15:41:41.655122995 CEST53615228.8.8.8192.168.2.4
            May 12, 2021 15:41:46.336102009 CEST5233753192.168.2.48.8.8.8
            May 12, 2021 15:41:46.398098946 CEST53523378.8.8.8192.168.2.4
            May 12, 2021 15:41:51.142338037 CEST5504653192.168.2.48.8.8.8
            May 12, 2021 15:41:51.202563047 CEST53550468.8.8.8192.168.2.4
            May 12, 2021 15:41:51.428154945 CEST4961253192.168.2.48.8.8.8
            May 12, 2021 15:41:51.485519886 CEST53496128.8.8.8192.168.2.4
            May 12, 2021 15:41:55.850594044 CEST4928553192.168.2.48.8.8.8
            May 12, 2021 15:41:55.899343967 CEST53492858.8.8.8192.168.2.4
            May 12, 2021 15:41:56.742501020 CEST5060153192.168.2.48.8.8.8
            May 12, 2021 15:41:56.845690012 CEST53506018.8.8.8192.168.2.4
            May 12, 2021 15:41:57.624161005 CEST6087553192.168.2.48.8.8.8
            May 12, 2021 15:41:57.684287071 CEST53608758.8.8.8192.168.2.4
            May 12, 2021 15:41:58.659828901 CEST5644853192.168.2.48.8.8.8
            May 12, 2021 15:41:58.826293945 CEST53564488.8.8.8192.168.2.4
            May 12, 2021 15:42:00.020754099 CEST5917253192.168.2.48.8.8.8
            May 12, 2021 15:42:00.071636915 CEST53591728.8.8.8192.168.2.4
            May 12, 2021 15:42:00.509931087 CEST6242053192.168.2.48.8.8.8
            May 12, 2021 15:42:00.569497108 CEST53624208.8.8.8192.168.2.4
            May 12, 2021 15:42:00.671063900 CEST6057953192.168.2.48.8.8.8
            May 12, 2021 15:42:00.731378078 CEST53605798.8.8.8192.168.2.4
            May 12, 2021 15:42:01.064954042 CEST5018353192.168.2.48.8.8.8
            May 12, 2021 15:42:01.132759094 CEST53501838.8.8.8192.168.2.4
            May 12, 2021 15:42:01.307965994 CEST6153153192.168.2.48.8.8.8
            May 12, 2021 15:42:01.365118027 CEST53615318.8.8.8192.168.2.4
            May 12, 2021 15:42:01.830445051 CEST4922853192.168.2.48.8.8.8
            May 12, 2021 15:42:01.887847900 CEST53492288.8.8.8192.168.2.4
            May 12, 2021 15:42:02.659746885 CEST5979453192.168.2.48.8.8.8
            May 12, 2021 15:42:02.708405018 CEST53597948.8.8.8192.168.2.4
            May 12, 2021 15:42:03.681365013 CEST5591653192.168.2.48.8.8.8
            May 12, 2021 15:42:03.738527060 CEST53559168.8.8.8192.168.2.4
            May 12, 2021 15:42:04.213337898 CEST5275253192.168.2.48.8.8.8
            May 12, 2021 15:42:04.275392056 CEST53527528.8.8.8192.168.2.4
            May 12, 2021 15:42:05.186784983 CEST6054253192.168.2.48.8.8.8
            May 12, 2021 15:42:05.250067949 CEST53605428.8.8.8192.168.2.4
            May 12, 2021 15:42:08.201644897 CEST6068953192.168.2.48.8.8.8
            May 12, 2021 15:42:08.252142906 CEST53606898.8.8.8192.168.2.4
            May 12, 2021 15:42:11.425129890 CEST6420653192.168.2.48.8.8.8
            May 12, 2021 15:42:11.482409954 CEST53642068.8.8.8192.168.2.4
            May 12, 2021 15:42:18.821676016 CEST5090453192.168.2.48.8.8.8
            May 12, 2021 15:42:18.879184008 CEST53509048.8.8.8192.168.2.4
            May 12, 2021 15:42:25.091231108 CEST5752553192.168.2.48.8.8.8
            May 12, 2021 15:42:25.154309034 CEST53575258.8.8.8192.168.2.4
            May 12, 2021 15:42:31.332638025 CEST5381453192.168.2.48.8.8.8
            May 12, 2021 15:42:31.389828920 CEST53538148.8.8.8192.168.2.4
            May 12, 2021 15:42:38.191953897 CEST5341853192.168.2.48.8.8.8
            May 12, 2021 15:42:38.251568079 CEST53534188.8.8.8192.168.2.4
            May 12, 2021 15:42:39.914653063 CEST6283353192.168.2.48.8.8.8
            May 12, 2021 15:42:39.990272045 CEST53628338.8.8.8192.168.2.4
            May 12, 2021 15:42:41.877824068 CEST5926053192.168.2.48.8.8.8
            May 12, 2021 15:42:41.934930086 CEST53592608.8.8.8192.168.2.4
            May 12, 2021 15:42:44.560812950 CEST4994453192.168.2.48.8.8.8
            May 12, 2021 15:42:44.619924068 CEST53499448.8.8.8192.168.2.4
            May 12, 2021 15:42:49.266288042 CEST6330053192.168.2.48.8.8.8
            May 12, 2021 15:42:49.323539972 CEST53633008.8.8.8192.168.2.4
            May 12, 2021 15:42:54.101478100 CEST6144953192.168.2.48.8.8.8
            May 12, 2021 15:42:54.160172939 CEST53614498.8.8.8192.168.2.4
            May 12, 2021 15:43:02.405359030 CEST5127553192.168.2.48.8.8.8
            May 12, 2021 15:43:02.468023062 CEST53512758.8.8.8192.168.2.4
            May 12, 2021 15:43:07.135113955 CEST6349253192.168.2.48.8.8.8
            May 12, 2021 15:43:07.192173004 CEST53634928.8.8.8192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            May 12, 2021 15:41:34.259408951 CEST192.168.2.48.8.8.80xaa10Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:41:41.593622923 CEST192.168.2.48.8.8.80x15ddStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:41:46.336102009 CEST192.168.2.48.8.8.80x49fdStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:41:51.142338037 CEST192.168.2.48.8.8.80x7b21Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:41:55.850594044 CEST192.168.2.48.8.8.80x1687Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:00.509931087 CEST192.168.2.48.8.8.80x958cStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:05.186784983 CEST192.168.2.48.8.8.80x1b63Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:11.425129890 CEST192.168.2.48.8.8.80x6ee1Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:18.821676016 CEST192.168.2.48.8.8.80x780aStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:25.091231108 CEST192.168.2.48.8.8.80x4ab5Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:31.332638025 CEST192.168.2.48.8.8.80xcf2fStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:38.191953897 CEST192.168.2.48.8.8.80x9831Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:44.560812950 CEST192.168.2.48.8.8.80xb990Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:49.266288042 CEST192.168.2.48.8.8.80xdd77Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:42:54.101478100 CEST192.168.2.48.8.8.80x5c0fStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:43:02.405359030 CEST192.168.2.48.8.8.80x28cdStandard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)
            May 12, 2021 15:43:07.135113955 CEST192.168.2.48.8.8.80xaa22Standard query (0)seaudo.hopto.orgA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            May 12, 2021 15:41:34.319515944 CEST8.8.8.8192.168.2.40xaa10No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:41:41.655122995 CEST8.8.8.8192.168.2.40x15ddNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:41:46.398098946 CEST8.8.8.8192.168.2.40x49fdNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:41:51.202563047 CEST8.8.8.8192.168.2.40x7b21No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:41:55.899343967 CEST8.8.8.8192.168.2.40x1687No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:00.569497108 CEST8.8.8.8192.168.2.40x958cNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:05.250067949 CEST8.8.8.8192.168.2.40x1b63No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:11.482409954 CEST8.8.8.8192.168.2.40x6ee1No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:18.879184008 CEST8.8.8.8192.168.2.40x780aNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:25.154309034 CEST8.8.8.8192.168.2.40x4ab5No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:31.389828920 CEST8.8.8.8192.168.2.40xcf2fNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:38.251568079 CEST8.8.8.8192.168.2.40x9831No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:44.619924068 CEST8.8.8.8192.168.2.40xb990No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:49.323539972 CEST8.8.8.8192.168.2.40xdd77No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:42:54.160172939 CEST8.8.8.8192.168.2.40x5c0fNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:43:02.468023062 CEST8.8.8.8192.168.2.40x28cdNo error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)
            May 12, 2021 15:43:07.192173004 CEST8.8.8.8192.168.2.40xaa22No error (0)seaudo.hopto.org23.254.130.71A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: PAYMENT SLIP.exe PID: 6804 Parent PID: 6052

            General

            Start time:15:41:03
            Start date:12/05/2021
            Path:C:\Users\user\Desktop\PAYMENT SLIP.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.665787151.0000000002400000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: MSBuild.exe PID: 7012 Parent PID: 6804

            General

            Start time:15:41:09
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):false
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x70000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: PAYMENT SLIP.exe PID: 7116 Parent PID: 6804

            General

            Start time:15:41:13
            Start date:12/05/2021
            Path:C:\Users\user\Desktop\PAYMENT SLIP.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.693808017.0000000003160000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: MSBuild.exe PID: 4228 Parent PID: 7116

            General

            Start time:15:41:20
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):false
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x1f0000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: hmhrpib.exe PID: 6024 Parent PID: 3424

            General

            Start time:15:41:21
            Start date:12/05/2021
            Path:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.706739434.0000000002F30000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 43%, ReversingLabs
            Reputation:low

            Analysis Process: PAYMENT SLIP.exe PID: 5704 Parent PID: 7116

            General

            Start time:15:41:26
            Start date:12/05/2021
            Path:C:\Users\user\Desktop\PAYMENT SLIP.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.723894048.00000000024E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: MSBuild.exe PID: 6372 Parent PID: 6024

            General

            Start time:15:41:28
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
            Imagebase:0xec0000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.911350836.00000000044FF000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910500149.0000000001830000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.909856080.0000000001450000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910512551.0000000001840000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.909818098.0000000001420000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910417181.00000000017D0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.914312313.00000000061A0000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910472948.0000000001810000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.909835016.0000000001430000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.911646592.000000000485A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910378079.00000000017A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910442224.00000000017F0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.910984817.00000000034F4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910406423.00000000017C0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910536260.0000000001870000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.912631638.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.910428872.00000000017E0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.909543177.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:moderate

            Analysis Process: hmhrpib.exe PID: 6376 Parent PID: 3424

            General

            Start time:15:41:30
            Start date:12/05/2021
            Path:C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.732908055.0000000002F30000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: schtasks.exe PID: 6508 Parent PID: 6372

            General

            Start time:15:41:31
            Start date:12/05/2021
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E70.tmp'
            Imagebase:0x1390000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 6608 Parent PID: 6508

            General

            Start time:15:41:32
            Start date:12/05/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff724c50000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: MSBuild.exe PID: 6504 Parent PID: 5704

            General

            Start time:15:41:32
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):false
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x120000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: MSBuild.exe PID: 6800 Parent PID: 968

            General

            Start time:15:41:34
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
            Imagebase:0x870000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:moderate

            Analysis Process: conhost.exe PID: 6876 Parent PID: 6800

            General

            Start time:15:41:35
            Start date:12/05/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff724c50000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: MSBuild.exe PID: 6940 Parent PID: 6376

            General

            Start time:15:41:37
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\AppData\Roaming\tteegmiuoefs\hmhrpib.exe'
            Imagebase:0xa30000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.745550001.00000000040B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.745514113.00000000030B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.744233608.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:moderate

            Analysis Process: PAYMENT SLIP.exe PID: 6900 Parent PID: 5704

            General

            Start time:15:41:38
            Start date:12/05/2021
            Path:C:\Users\user\Desktop\PAYMENT SLIP.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x400000
            File size:259286 bytes
            MD5 hash:50C9D58F61950484825D85A9A1372A7D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.745571478.0000000003050000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: MSBuild.exe PID: 6948 Parent PID: 6900

            General

            Start time:15:41:46
            Start date:12/05/2021
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PAYMENT SLIP.exe'
            Imagebase:0x910000
            File size:69632 bytes
            MD5 hash:88BBB7610152B48C2B3879473B17857E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.762297835.0000000002F11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.762317389.0000000003F11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.753927401.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:moderate

            Disassembly

            Code Analysis

            Reset < >