Windows Analysis Report 039846H0INVOICERECEIPT.exe

Overview

General Information

Sample Name:	039846H0INVOICERECEIPT.exe
Analysis ID:	551967
MD5:	3ba78ed2e621b7bb47778ec2567df223
SHA1:	d735536d9984db49348e636d13ca0779d76b5d11
SHA256:	329def14e6fa2aa0786df6501894efe890f27d250160397a16740a0bc731e967
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c6aea8ec-42ab-4933-970f-cf8fecc5", "Group": "", "Domain1": "girlhomejan6100.duckdns.org", "Domain2": "girlhomejan6100.duckdns.org", "Port": 6100, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 11.0.anlq.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.039846H0INVOICERECEIPT.exe.31f0000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.anlq.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.anlq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.anlq.exe.22e0000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.1.anlq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.anlq.exe.2650000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

Unpacked PE file: 11.2.anlq.exe.2650000.4.unpack

Uses 32bit PE files

Source: 039846H0INVOICERECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbF source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500151835.000000000070D000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00404A29 FindFirstFileExW,	7_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00404A29 FindFirstFileExW,	7_1_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,	9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	9_2_004053AA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00402630 FindFirstFileA,	9_2_00402630

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: girlhomejan6100.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: girlhomejan6100.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49754 -> 194.5.98.28:6100

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: anlq.exe, anlq.exe, 00000009.00000002.297239480.0000000000409000.00000004.00020000.sdmp, anlq.exe, 00000009.00000000.275568008.0000000000409000.00000008.00020000.sdmp, anlq.exe, 0000000B.00000000.280633346.0000000000409000.00000008.00020000.sdmp, 039846H0INVOICERECEIPT.exe, anlq.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 039846H0INVOICERECEIPT.exe, anlq.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: girlhomejan6100.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000002.248356009.000000000080A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F61

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 039846H0INVOICERECEIPT.exe

Uses 32bit PE files

Source: 039846H0INVOICERECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403225
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		9_2_00403225

Detected potential crypto function

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F756F	0_2_6F6F756F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F697A	0_2_6F6F697A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9374	0_2_6F6F9374
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F674D	0_2_6F6F674D
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6F59	0_2_6F6F6F59
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6553	0_2_6F6F6553
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8751	0_2_6F6F8751
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8D3A	0_2_6F6F8D3A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9139	0_2_6F6F9139
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6117	0_2_6F6F6117
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4FFA	0_2_6F6F4FFA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8DF4	0_2_6F6F8DF4
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F81F3	0_2_6F6F81F3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F91F2	0_2_6F6F91F2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F1FC6	0_2_6F6F1FC6
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F81AB	0_2_6F6F81AB
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F87A8	0_2_6F6F87A8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F51A2	0_2_6F6F51A2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F93BF	0_2_6F6F93BF
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F67B8	0_2_6F6F67B8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F758F	0_2_6F6F758F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F698E	0_2_6F6F698E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8F8E	0_2_6F6F8F8E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F619E	0_2_6F6F619E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6599	0_2_6F6F6599
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7596	0_2_6F6F7596
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F946A	0_2_6F6F946A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9063	0_2_6F6F9063
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6676	0_2_6F6F6676
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9045	0_2_6F6F9045
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8A2F	0_2_6F6F8A2F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4E3F	0_2_6F6F4E3F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F583F	0_2_6F6F583F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F5839	0_2_6F6F5839
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7A03	0_2_6F6F7A03
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8EFF	0_2_6F6F8EFF
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F92F9	0_2_6F6F92F9
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F1ADD	0_2_6F6F1ADD
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F76D2	0_2_6F6F76D2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F92A4	0_2_6F6F92A4
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8EB3	0_2_6F6F8EB3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F704E91	0_2_6F704E91
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F708C94	0_2_6F708C94
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6886	0_2_6F6F6886
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7A82	0_2_6F6F7A82
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7E9A	0_2_6F6F7E9A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_025323A0	1_2_025323A0
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02532FA8	1_2_02532FA8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02538468	1_2_02538468
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02539068	1_2_02539068
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253ACC8	1_2_0253ACC8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253306F	1_2_0253306F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02539910	1_2_02539910
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253912F	1_2_0253912F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_0040A2A5	1_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF381F3	5_2_6FF381F3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF391F2	5_2_6FF391F2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38DF4	5_2_6FF38DF4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34FFA	5_2_6FF34FFA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF31FC6	5_2_6FF31FC6
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF367B8	5_2_6FF367B8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF393BF	5_2_6FF393BF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF351A2	5_2_6FF351A2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF381AB	5_2_6FF381AB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF387A8	5_2_6FF387A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37596	5_2_6FF37596
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36599	5_2_6FF36599
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3619E	5_2_6FF3619E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3758F	5_2_6FF3758F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3698E	5_2_6FF3698E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38F8E	5_2_6FF38F8E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39374	5_2_6FF39374
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3697A	5_2_6FF3697A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3756F	5_2_6FF3756F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36553	5_2_6FF36553
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38751	5_2_6FF38751
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36F59	5_2_6FF36F59
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3674D	5_2_6FF3674D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38D3A	5_2_6FF38D3A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39139	5_2_6FF39139
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36117	5_2_6FF36117
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF392F9	5_2_6FF392F9
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38EFF	5_2_6FF38EFF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF376D2	5_2_6FF376D2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF31ADD	5_2_6FF31ADD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38EB3	5_2_6FF38EB3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF392A4	5_2_6FF392A4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF48C94	5_2_6FF48C94
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF44E91	5_2_6FF44E91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37E9A	5_2_6FF37E9A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37A82	5_2_6FF37A82
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36886	5_2_6FF36886
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36676	5_2_6FF36676
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39063	5_2_6FF39063
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3946A	5_2_6FF3946A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39045	5_2_6FF39045
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF35839	5_2_6FF35839
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34E3F	5_2_6FF34E3F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3583F	5_2_6FF3583F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38A2F	5_2_6FF38A2F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37A03	5_2_6FF37A03
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_0040A2A5	7_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_02320879	7_2_02320879
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_023207B1	7_2_023207B1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A2FA8	7_2_048A2FA8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A23A0	7_2_048A23A0
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A3850	7_2_048A3850
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A306F	7_2_048A306F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_0040A2A5	7_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0040604C	9_2_0040604C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00404772	9_2_00404772
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B7EC	9_2_6FE5B7EC
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54FFA	9_2_6FE54FFA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE51FC6	9_2_6FE51FC6
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AFC2	9_2_6FE5AFC2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE587A8	9_2_6FE587A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5ABA8	9_2_6FE5ABA8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5C3A8	9_2_6FE5C3A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE593BF	9_2_6FE593BF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE567B8	9_2_6FE567B8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58F8E	9_2_6FE58F8E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59374	9_2_6FE59374
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5674D	9_2_6FE5674D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58751	9_2_6FE58751
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56F59	9_2_6FE56F59
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B305	9_2_6FE5B305
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BB19	9_2_6FE5BB19
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58EFF	9_2_6FE58EFF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE592F9	9_2_6FE592F9
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BAF8	9_2_6FE5BAF8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B6CD	9_2_6FE5B6CD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE576D2	9_2_6FE576D2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE51ADD	9_2_6FE51ADD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AEDB	9_2_6FE5AEDB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE592A4	9_2_6FE592A4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BAAA	9_2_6FE5BAAA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58EB3	9_2_6FE58EB3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57A82	9_2_6FE57A82
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B694	9_2_6FE5B694
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AE91	9_2_6FE5AE91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE64E91	9_2_6FE64E91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57E9A	9_2_6FE57E9A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56676	9_2_6FE56676
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BA7A	9_2_6FE5BA7A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5D24C	9_2_6FE5D24C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58A2F	9_2_6FE58A2F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AE34	9_2_6FE5AE34
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54E3F	9_2_6FE54E3F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57A03	9_2_6FE57A03
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5ADED	9_2_6FE5ADED
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58DF4	9_2_6FE58DF4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE581F3	9_2_6FE581F3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE591F2	9_2_6FE591F2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE551A2	9_2_6FE551A2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE581AB	9_2_6FE581AB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B9B0	9_2_6FE5B9B0
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B5BB	9_2_6FE5B5BB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5758F	9_2_6FE5758F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5698E	9_2_6FE5698E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57596	9_2_6FE57596
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AD92	9_2_6FE5AD92
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5619E	9_2_6FE5619E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56599	9_2_6FE56599
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5756F	9_2_6FE5756F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B579	9_2_6FE5B579
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5697A	9_2_6FE5697A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B943	9_2_6FE5B943
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56553	9_2_6FE56553
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59139	9_2_6FE59139
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58D3A	9_2_6FE58D3A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56117	9_2_6FE56117
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5CD1C	9_2_6FE5CD1C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B11A	9_2_6FE5B11A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B0EC	9_2_6FE5B0EC
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56886	9_2_6FE56886
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE68C94	9_2_6FE68C94
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B09E	9_2_6FE5B09E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59063	9_2_6FE59063
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5946A	9_2_6FE5946A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59045	9_2_6FE59045
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BC5E	9_2_6FE5BC5E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5583F	9_2_6FE5583F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE55839	9_2_6FE55839
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BC1A	9_2_6FE5BC1A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: String function: 0040569E appears 36 times
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: String function: 0040569E appears 36 times

Sample file is different than original file name gathered from version info

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238949634.0000000003576000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.242193895.000000000370F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe

PE file contains strange resources

Source: 039846H0INVOICERECEIPT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: anlq.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File read: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Jump to behavior

Source: 039846H0INVOICERECEIPT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File created: C:\Users\user\AppData\Roaming\ngneqippkv

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File created: C:\Users\user\AppData\Local\Temp\nsa26E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@19/1

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c6aea8ec-42ab-4933-970f-cf8fecc5c7fd}

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

1_2_00401489

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbF source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500151835.000000000070D000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

Unpacked PE file: 11.2.anlq.exe.2650000.4.unpack

.NET source code contains potential unpacker

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6FD2 pushfd ; iretd	0_2_6F6F6FD3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4E8F pushad ; retf 0000h	0_2_6F6F4E90
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401F16 push ecx; ret	1_2_00401F29
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_00401F16 push ecx; ret	1_1_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36FD2 pushfd ; iretd	5_2_6FF36FD3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34E8F pushad ; retf 0000h	5_2_6FF34E90
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401F16 push ecx; ret	7_2_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00932C95 push cs; ret	7_2_00932C9E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00932934 push esi; ret	7_2_0093293E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401F16 push ecx; ret	7_1_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56FD2 pushfd ; iretd	9_2_6FE56FD3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54E8F pushad ; retf 0000h	9_2_6FE54E90
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5C231 pushfd ; retf	9_2_6FE5C232

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nsa270.tmp\xhkkjvbj.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	File created: C:\Users\user\AppData\Local\Temp\nsv59F7.tmp\xhkkjvbj.dll	Jump to dropped file
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	File created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	File created: C:\Users\user\AppData\Local\Temp\nsn3AA7.tmp\xhkkjvbj.dll	Jump to dropped file

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pvlmhsolms			Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pvlmhsolms			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe TID: 5044	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe TID: 6112	Thread sleep time: -640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 5852	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6372	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6280	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 1692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Window / User API: threadDelayed 389			Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Window / User API: foregroundWindowGot 953			Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00404A29 FindFirstFileExW,	7_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00404A29 FindFirstFileExW,	7_1_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,	9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	9_2_004053AA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00402630 FindFirstFileA,	9_2_00402630

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000003.291641491.000000000070D000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.500151835.000000000070D000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(!

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040446F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_004067FE GetProcessHeap,

1_2_004067FE

Enables debug privileges

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E213 mov eax, dword ptr fs:[00000030h]	0_2_0019E213
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E252 mov eax, dword ptr fs:[00000030h]	0_2_0019E252
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E290 mov eax, dword ptr fs:[00000030h]	0_2_0019E290
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019DF4E mov eax, dword ptr fs:[00000030h]	0_2_0019DF4E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E162 mov eax, dword ptr fs:[00000030h]	0_2_0019E162
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]	1_1_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E213 mov eax, dword ptr fs:[00000030h]	5_2_0019E213
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E252 mov eax, dword ptr fs:[00000030h]	5_2_0019E252
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E290 mov eax, dword ptr fs:[00000030h]	5_2_0019E290
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019DF4E mov eax, dword ptr fs:[00000030h]	5_2_0019DF4E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E162 mov eax, dword ptr fs:[00000030h]	5_2_0019E162
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_004035F1 mov eax, dword ptr fs:[00000030h]	7_2_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_004035F1 mov eax, dword ptr fs:[00000030h]	7_1_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E213 mov eax, dword ptr fs:[00000030h]	9_2_0019E213
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E252 mov eax, dword ptr fs:[00000030h]	9_2_0019E252
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E290 mov eax, dword ptr fs:[00000030h]	9_2_0019E290
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019DF4E mov eax, dword ptr fs:[00000030h]	9_2_0019DF4E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E162 mov eax, dword ptr fs:[00000030h]	9_2_0019E162

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_00401E1D SetUnhandledExceptionFilter,	1_1_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401E1D SetUnhandledExceptionFilter,	7_2_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0040446F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00401C88
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00401F30
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401E1D SetUnhandledExceptionFilter,	7_1_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_0040446F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00401C88
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Memory written: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Memory written: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Memory written: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500044885.0000000000700000.00000004.00000020.sdmp	Binary or memory string: Program Manager/y
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9(r
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508218861.0000000002B6B000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508241086.0000000002B74000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507762336.0000000002A43000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508145898.0000000002B44000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507737828.0000000002A39000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507838205.0000000002A77000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507800619.0000000002A55000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508190218.0000000002B61000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508145898.0000000002B44000.00000004.00000001.sdmp	Binary or memory string: Program Manager</(r
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507838205.0000000002A77000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507800619.0000000002A55000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_0040208D cpuid

1_2_0040208D

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00401B74

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.28	girlhomejan6100.duckdns.org	Netherlands		208476	DANILENKODE	false

Contacted Domains

Name	IP	Active
girlhomejan6100.duckdns.org	194.5.98.28	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
girlhomejan6100.duckdns.org	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

Antivirus or Machine Learning detection for unpacked file

Source: 11.0.anlq.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.039846H0INVOICERECEIPT.exe.31f0000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.anlq.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.anlq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.anlq.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.anlq.exe.22e0000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.1.anlq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.anlq.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.anlq.exe.2650000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.anlq.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

Unpacked PE file: 11.2.anlq.exe.2650000.4.unpack

Uses 32bit PE files

Source: 039846H0INVOICERECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbF source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500151835.000000000070D000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00404A29 FindFirstFileExW,	7_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00404A29 FindFirstFileExW,	7_1_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,	9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	9_2_004053AA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00402630 FindFirstFileA,	9_2_00402630

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: girlhomejan6100.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: girlhomejan6100.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49754 -> 194.5.98.28:6100

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: anlq.exe, anlq.exe, 00000009.00000002.297239480.0000000000409000.00000004.00020000.sdmp, anlq.exe, 00000009.00000000.275568008.0000000000409000.00000008.00020000.sdmp, anlq.exe, 0000000B.00000000.280633346.0000000000409000.00000008.00020000.sdmp, 039846H0INVOICERECEIPT.exe, anlq.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 039846H0INVOICERECEIPT.exe, anlq.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: girlhomejan6100.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000002.248356009.000000000080A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

0_2_00404F61

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 039846H0INVOICERECEIPT.exe

Uses 32bit PE files

Source: 039846H0INVOICERECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38e1aec.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2975790.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d7ee7.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.28e156c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.2aad308.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.anlq.exe.27968bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2a768bc.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2961128.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a98c84.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.38d3248.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2954eb4.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.039846H0INVOICERECEIPT.exe.2a8c9f4.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403225
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		9_2_00403225

Detected potential crypto function

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F756F	0_2_6F6F756F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F697A	0_2_6F6F697A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9374	0_2_6F6F9374
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F674D	0_2_6F6F674D
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6F59	0_2_6F6F6F59
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6553	0_2_6F6F6553
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8751	0_2_6F6F8751
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8D3A	0_2_6F6F8D3A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9139	0_2_6F6F9139
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6117	0_2_6F6F6117
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4FFA	0_2_6F6F4FFA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8DF4	0_2_6F6F8DF4
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F81F3	0_2_6F6F81F3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F91F2	0_2_6F6F91F2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F1FC6	0_2_6F6F1FC6
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F81AB	0_2_6F6F81AB
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F87A8	0_2_6F6F87A8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F51A2	0_2_6F6F51A2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F93BF	0_2_6F6F93BF
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F67B8	0_2_6F6F67B8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F758F	0_2_6F6F758F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F698E	0_2_6F6F698E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8F8E	0_2_6F6F8F8E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F619E	0_2_6F6F619E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6599	0_2_6F6F6599
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7596	0_2_6F6F7596
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F946A	0_2_6F6F946A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9063	0_2_6F6F9063
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6676	0_2_6F6F6676
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F9045	0_2_6F6F9045
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8A2F	0_2_6F6F8A2F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4E3F	0_2_6F6F4E3F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F583F	0_2_6F6F583F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F5839	0_2_6F6F5839
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7A03	0_2_6F6F7A03
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8EFF	0_2_6F6F8EFF
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F92F9	0_2_6F6F92F9
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F1ADD	0_2_6F6F1ADD
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F76D2	0_2_6F6F76D2
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F92A4	0_2_6F6F92A4
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F8EB3	0_2_6F6F8EB3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F704E91	0_2_6F704E91
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F708C94	0_2_6F708C94
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6886	0_2_6F6F6886
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7A82	0_2_6F6F7A82
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F7E9A	0_2_6F6F7E9A
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_025323A0	1_2_025323A0
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02532FA8	1_2_02532FA8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02538468	1_2_02538468
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02539068	1_2_02539068
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253ACC8	1_2_0253ACC8
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253306F	1_2_0253306F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_02539910	1_2_02539910
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0253912F	1_2_0253912F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_0040A2A5	1_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF381F3	5_2_6FF381F3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF391F2	5_2_6FF391F2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38DF4	5_2_6FF38DF4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34FFA	5_2_6FF34FFA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF31FC6	5_2_6FF31FC6
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF367B8	5_2_6FF367B8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF393BF	5_2_6FF393BF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF351A2	5_2_6FF351A2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF381AB	5_2_6FF381AB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF387A8	5_2_6FF387A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37596	5_2_6FF37596
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36599	5_2_6FF36599
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3619E	5_2_6FF3619E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3758F	5_2_6FF3758F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3698E	5_2_6FF3698E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38F8E	5_2_6FF38F8E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39374	5_2_6FF39374
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3697A	5_2_6FF3697A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3756F	5_2_6FF3756F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36553	5_2_6FF36553
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38751	5_2_6FF38751
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36F59	5_2_6FF36F59
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3674D	5_2_6FF3674D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38D3A	5_2_6FF38D3A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39139	5_2_6FF39139
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36117	5_2_6FF36117
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF392F9	5_2_6FF392F9
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38EFF	5_2_6FF38EFF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF376D2	5_2_6FF376D2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF31ADD	5_2_6FF31ADD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38EB3	5_2_6FF38EB3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF392A4	5_2_6FF392A4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF48C94	5_2_6FF48C94
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF44E91	5_2_6FF44E91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37E9A	5_2_6FF37E9A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37A82	5_2_6FF37A82
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36886	5_2_6FF36886
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36676	5_2_6FF36676
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39063	5_2_6FF39063
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3946A	5_2_6FF3946A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF39045	5_2_6FF39045
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF35839	5_2_6FF35839
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34E3F	5_2_6FF34E3F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF3583F	5_2_6FF3583F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF38A2F	5_2_6FF38A2F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF37A03	5_2_6FF37A03
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_0040A2A5	7_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_02320879	7_2_02320879
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_023207B1	7_2_023207B1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A2FA8	7_2_048A2FA8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A23A0	7_2_048A23A0
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A3850	7_2_048A3850
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_048A306F	7_2_048A306F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_0040A2A5	7_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0040604C	9_2_0040604C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00404772	9_2_00404772
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B7EC	9_2_6FE5B7EC
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54FFA	9_2_6FE54FFA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE51FC6	9_2_6FE51FC6
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AFC2	9_2_6FE5AFC2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE587A8	9_2_6FE587A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5ABA8	9_2_6FE5ABA8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5C3A8	9_2_6FE5C3A8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE593BF	9_2_6FE593BF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE567B8	9_2_6FE567B8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58F8E	9_2_6FE58F8E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59374	9_2_6FE59374
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5674D	9_2_6FE5674D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58751	9_2_6FE58751
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56F59	9_2_6FE56F59
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B305	9_2_6FE5B305
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BB19	9_2_6FE5BB19
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58EFF	9_2_6FE58EFF
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE592F9	9_2_6FE592F9
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BAF8	9_2_6FE5BAF8
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B6CD	9_2_6FE5B6CD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE576D2	9_2_6FE576D2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE51ADD	9_2_6FE51ADD
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AEDB	9_2_6FE5AEDB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE592A4	9_2_6FE592A4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BAAA	9_2_6FE5BAAA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58EB3	9_2_6FE58EB3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57A82	9_2_6FE57A82
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B694	9_2_6FE5B694
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AE91	9_2_6FE5AE91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE64E91	9_2_6FE64E91
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57E9A	9_2_6FE57E9A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56676	9_2_6FE56676
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BA7A	9_2_6FE5BA7A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5D24C	9_2_6FE5D24C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58A2F	9_2_6FE58A2F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AE34	9_2_6FE5AE34
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54E3F	9_2_6FE54E3F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57A03	9_2_6FE57A03
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5ADED	9_2_6FE5ADED
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58DF4	9_2_6FE58DF4
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE581F3	9_2_6FE581F3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE591F2	9_2_6FE591F2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE551A2	9_2_6FE551A2
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE581AB	9_2_6FE581AB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B9B0	9_2_6FE5B9B0
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B5BB	9_2_6FE5B5BB
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5758F	9_2_6FE5758F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5698E	9_2_6FE5698E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE57596	9_2_6FE57596
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5AD92	9_2_6FE5AD92
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5619E	9_2_6FE5619E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56599	9_2_6FE56599
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5756F	9_2_6FE5756F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B579	9_2_6FE5B579
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5697A	9_2_6FE5697A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B943	9_2_6FE5B943
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56553	9_2_6FE56553
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59139	9_2_6FE59139
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE58D3A	9_2_6FE58D3A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56117	9_2_6FE56117
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5CD1C	9_2_6FE5CD1C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B11A	9_2_6FE5B11A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B0EC	9_2_6FE5B0EC
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56886	9_2_6FE56886
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE68C94	9_2_6FE68C94
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5B09E	9_2_6FE5B09E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59063	9_2_6FE59063
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5946A	9_2_6FE5946A
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE59045	9_2_6FE59045
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BC5E	9_2_6FE5BC5E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5583F	9_2_6FE5583F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE55839	9_2_6FE55839
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5BC1A	9_2_6FE5BC1A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: String function: 0040569E appears 36 times
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: String function: 0040569E appears 36 times

Sample file is different than original file name gathered from version info

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238949634.0000000003576000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.242193895.000000000370F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs 039846H0INVOICERECEIPT.exe

PE file contains strange resources

Source: 039846H0INVOICERECEIPT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: anlq.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File read: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Jump to behavior

Source: 039846H0INVOICERECEIPT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File created: C:\Users\user\AppData\Roaming\ngneqippkv

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File created: C:\Users\user\AppData\Local\Temp\nsa26E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@19/1

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c6aea8ec-42ab-4933-970f-cf8fecc5c7fd}

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

1_2_00401489

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 039846H0INVOICERECEIPT.exe, 00000000.00000003.238769335.0000000003460000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000000.00000003.233449853.00000000035F0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.271625627.00000000031C0000.00000004.00000001.sdmp, anlq.exe, 00000005.00000003.277128619.0000000003350000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.296454332.0000000003490000.00000004.00000001.sdmp, anlq.exe, 00000009.00000003.291267046.0000000003300000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbF source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500151835.000000000070D000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504112483.0000000002587000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe

Unpacked PE file: 11.2.anlq.exe.2650000.4.unpack

.NET source code contains potential unpacker

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F6FD2 pushfd ; iretd	0_2_6F6F6FD3
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_6F6F4E8F pushad ; retf 0000h	0_2_6F6F4E90
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401F16 push ecx; ret	1_2_00401F29
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_00401F16 push ecx; ret	1_1_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF36FD2 pushfd ; iretd	5_2_6FF36FD3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_6FF34E8F pushad ; retf 0000h	5_2_6FF34E90
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401F16 push ecx; ret	7_2_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00932C95 push cs; ret	7_2_00932C9E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00932934 push esi; ret	7_2_0093293E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401F16 push ecx; ret	7_1_00401F29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE56FD2 pushfd ; iretd	9_2_6FE56FD3
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE54E8F pushad ; retf 0000h	9_2_6FE54E90
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_6FE5C231 pushfd ; retf	9_2_6FE5C232

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.anlq.exe.22e0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.anlq.exe.2650000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nsa270.tmp\xhkkjvbj.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	File created: C:\Users\user\AppData\Local\Temp\nsv59F7.tmp\xhkkjvbj.dll	Jump to dropped file
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	File created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	File created: C:\Users\user\AppData\Local\Temp\nsn3AA7.tmp\xhkkjvbj.dll	Jump to dropped file

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pvlmhsolms			Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pvlmhsolms			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

File opened: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe TID: 5044	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe TID: 6112	Thread sleep time: -640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 5852	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6372	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 6280	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe TID: 1692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Window / User API: threadDelayed 389			Jump to behavior
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Window / User API: foregroundWindowGot 953			Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00404A29 FindFirstFileExW,	7_2_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00404A29 FindFirstFileExW,	7_1_00404A29
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00405D7C FindFirstFileA,FindClose,	9_2_00405D7C
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	9_2_004053AA
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_00402630 FindFirstFileA,	9_2_00402630

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	API call chain: ExitProcess graph end node

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(!

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040446F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_004067FE GetProcessHeap,

1_2_004067FE

Enables debug privileges

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E213 mov eax, dword ptr fs:[00000030h]	0_2_0019E213
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E252 mov eax, dword ptr fs:[00000030h]	0_2_0019E252
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E290 mov eax, dword ptr fs:[00000030h]	0_2_0019E290
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019DF4E mov eax, dword ptr fs:[00000030h]	0_2_0019DF4E
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 0_2_0019E162 mov eax, dword ptr fs:[00000030h]	0_2_0019E162
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]	1_1_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E213 mov eax, dword ptr fs:[00000030h]	5_2_0019E213
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E252 mov eax, dword ptr fs:[00000030h]	5_2_0019E252
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E290 mov eax, dword ptr fs:[00000030h]	5_2_0019E290
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019DF4E mov eax, dword ptr fs:[00000030h]	5_2_0019DF4E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 5_2_0019E162 mov eax, dword ptr fs:[00000030h]	5_2_0019E162
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_004035F1 mov eax, dword ptr fs:[00000030h]	7_2_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_004035F1 mov eax, dword ptr fs:[00000030h]	7_1_004035F1
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E213 mov eax, dword ptr fs:[00000030h]	9_2_0019E213
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E252 mov eax, dword ptr fs:[00000030h]	9_2_0019E252
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E290 mov eax, dword ptr fs:[00000030h]	9_2_0019E290
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019DF4E mov eax, dword ptr fs:[00000030h]	9_2_0019DF4E
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 9_2_0019E162 mov eax, dword ptr fs:[00000030h]	9_2_0019E162

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30
Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Code function: 1_1_00401E1D SetUnhandledExceptionFilter,	1_1_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401E1D SetUnhandledExceptionFilter,	7_2_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0040446F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00401C88
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00401F30
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401E1D SetUnhandledExceptionFilter,	7_1_00401E1D
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_0040446F
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00401C88
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Code function: 7_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Memory written: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Memory written: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Memory written: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe	Process created: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe "C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	Process created: C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe "C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe"	Jump to behavior

Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.500044885.0000000000700000.00000004.00000020.sdmp	Binary or memory string: Program Manager/y
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|9(r
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508218861.0000000002B6B000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508241086.0000000002B74000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507762336.0000000002A43000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508145898.0000000002B44000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507737828.0000000002A39000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507838205.0000000002A77000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507800619.0000000002A55000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.508190218.0000000002B61000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508145898.0000000002B44000.00000004.00000001.sdmp	Binary or memory string: Program Manager</(r
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507838205.0000000002A77000.00000004.00000001.sdmp, 039846H0INVOICERECEIPT.exe, 00000001.00000002.507800619.0000000002A55000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.501683342.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_0040208D cpuid

1_2_0040208D

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00401B74

Source: C:\Users\user\Desktop\039846H0INVOICERECEIPT.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Source: 039846H0INVOICERECEIPT.exe, 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507080103.0000000002924000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.508259878.00000000038D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.507854463.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: 039846H0INVOICERECEIPT.exe, 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292734330.000000000277E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314490678.0000000002A5E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: anlq.exe, 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: anlq.exe, 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad5495.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31b1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3ad0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390a822.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3a53258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.3acc036.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.396df79.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f5495.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.6318c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.22e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37f0e6c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.37ec036.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.anlq.exe.3773258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.518e30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3913c81.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2481458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3171458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.039846H0INVOICERECEIPT.exe.31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.390f658.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.3969950.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.6837e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.anlq.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.anlq.exe.3160000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.anlq.exe.2470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.039846H0INVOICERECEIPT.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.anlq.exe.2610000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.anlq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.anlq.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.039846H0INVOICERECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.294082200.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508293325.0000000003904000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.275663964.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.313908924.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314341475.0000000002610000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314014470.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292594850.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292082066.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292219672.0000000000624000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.246308898.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292806006.0000000003771000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.277541562.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508341763.0000000003962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503636006.00000000024E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314375073.0000000002652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.296175339.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292556739.00000000022A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498126981.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498719213.0000000000675000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.276749512.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.503483350.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314547545.0000000003A8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249043381.00000000031A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.292893122.00000000037AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.244362493.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.297921153.0000000002470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.314517163.0000000003A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.279178171.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.504358313.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 039846H0INVOICERECEIPT.exe PID: 4396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: anlq.exe PID: 6392, type: MEMORYSTR

ID:	551967
Product:	CloudBasic
Start time:	18:37:12
Start date:	12.01.2022
Sample:	039846H0INVOICERECEIPT.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3ba78ed2e621b7bb47778ec2567df223
SHA1:	d735536d9984db49348e636d13ca0779d76b5d11
SHA256:	329def14e6fa2aa0786df6501894efe890f27d250160397a16740a0bc731e967
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\anlq.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\hrggihx	data	84AF91836496FCF1039B4EF1849BCCCC	6AAFD320AE47429F68E325060D816F8055510269	3048FF8B8E6228D2AFFC852697C81DF5FC8CF44FBC63AC3592F199334F592FAE
C:\Users\user\AppData\Local\Temp\lbzyziajixj	data	1A877E28204D5F93FA7C6741EF0388A5	FD6AFFA1F9A8C1A0D5FDDE565A45B83083A20F51	53021B4269BB956F3FC824666A1C064B359038E4148C4C3FED3BF00C5BC8AFA4
C:\Users\user\AppData\Local\Temp\nsa26F.tmp	data	034F48DF0C0D4EE3A38B94F6DA5C1AC0	A58C49CC5CBD163FF1761694925F0456710BBDBA	4D8989CEF3C0C56870D6155502AE3502A7AA8A0CB1710CEEF3CE90DED224CA24
C:\Users\user\AppData\Local\Temp\nsa270.tmp\xhkkjvbj.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4ABDC13A9B62E3DA21D83E864F3B865F	7892B7FA56E730DE7E08F23E5808DFB915C1FF23	E3A428A341B65CC607F5C48109502B3D1DACEA9275F0471FE451EC06DFD8B0A4
C:\Users\user\AppData\Local\Temp\nsa59C7.tmp	data	034F48DF0C0D4EE3A38B94F6DA5C1AC0	A58C49CC5CBD163FF1761694925F0456710BBDBA	4D8989CEF3C0C56870D6155502AE3502A7AA8A0CB1710CEEF3CE90DED224CA24
C:\Users\user\AppData\Local\Temp\nsn3AA6.tmp	data	034F48DF0C0D4EE3A38B94F6DA5C1AC0	A58C49CC5CBD163FF1761694925F0456710BBDBA	4D8989CEF3C0C56870D6155502AE3502A7AA8A0CB1710CEEF3CE90DED224CA24
C:\Users\user\AppData\Local\Temp\nsn3AA7.tmp\xhkkjvbj.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4ABDC13A9B62E3DA21D83E864F3B865F	7892B7FA56E730DE7E08F23E5808DFB915C1FF23	E3A428A341B65CC607F5C48109502B3D1DACEA9275F0471FE451EC06DFD8B0A4
C:\Users\user\AppData\Local\Temp\nsv59F7.tmp\xhkkjvbj.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4ABDC13A9B62E3DA21D83E864F3B865F	7892B7FA56E730DE7E08F23E5808DFB915C1FF23	E3A428A341B65CC607F5C48109502B3D1DACEA9275F0471FE451EC06DFD8B0A4
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	9E7D0351E4DF94A9B0BADCEB6A9DB963	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	0E68D78A36EF2C6EF8D21982A69E2B8E	D068EAEA77750FBF39FCD3745518AEF1299C923A	1627BB8E1FA328D1BFAA1E4886DAB9402AC843228F4884FDA87EFDFEB43A19E7
C:\Users\user\AppData\Roaming\ngneqippkv\anlq.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	3BA78ED2E621B7BB47778EC2567DF223	D735536D9984DB49348E636D13CA0779D76B5D11	329DEF14E6FA2AA0786DF6501894EFE890F27D250160397A16740A0BC731E967

Windows Analysis Report 039846H0INVOICERECEIPT.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs