Loading ...

Play interactive tourEdit tour

Analysis Report SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe

Overview

General Information

Sample Name:SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe
MD5:b1917430655c9911618b21a70d0a5c94
SHA1:fe6743ce83d11fab3daf8d5d2284083447f69b3b
SHA256:ccce552fcfd985afb778d4b06b697938d133b18ce005a7541976fa12c8a996f8

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Yara detected Nanocore RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe (PID: 3588 cmdline: 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe' MD5: B1917430655C9911618B21A70D0A5C94)
    • RegAsm.exe (PID: 920 cmdline: 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5028 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4860 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1689.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 4704 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wpasv.exe (PID: 2532 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Complexifyhalakistafladsbr.exe (PID: 3064 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: B1917430655C9911618B21A70D0A5C94)
    • RegAsm.exe (PID: 4016 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 4208 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • wpasv.exe (PID: 2600 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 3360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Complexifyhalakistafladsbr.exe (PID: 2620 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: B1917430655C9911618B21A70D0A5C94)
    • RegAsm.exe (PID: 5116 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 3736 cmdline: 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["172.217.22.78"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x39eb:$x1: NanoCore.ClientPluginHost
  • 0x3a24:$x2: IClientNetworkHost
00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x39eb:$x2: NanoCore.ClientPluginHost
  • 0x3b36:$s4: PipeCreated
  • 0x3a05:$s5: IClientLoggingHost
00000012.00000002.1146276639.0000000000BC0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x24a47:$a: NanoCore
      • 0x24aa0:$a: NanoCore
      • 0x24add:$a: NanoCore
      • 0x24b56:$a: NanoCore
      • 0x24aa9:$b: ClientPlugin
      • 0x24ae6:$b: ClientPlugin
      • 0x253e4:$b: ClientPlugin
      • 0x253f1:$b: ClientPlugin
      • 0x1c7d6:$e: KeepAlive
      • 0x24f31:$g: LogClientMessage
      • 0x24eb1:$i: get_Connected
      • 0x16a79:$j: #=q
      • 0x16aa9:$j: #=q
      • 0x16ae5:$j: #=q
      • 0x16b0d:$j: #=q
      • 0x16b3d:$j: #=q
      • 0x16b6d:$j: #=q
      • 0x16b9d:$j: #=q
      • 0x16bcd:$j: #=q
      • 0x16be9:$j: #=q
      • 0x16c19:$j: #=q
      Click to see the 47 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegAsm.exe.1ee20000.15.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      2.2.RegAsm.exe.1ee20000.15.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      2.2.RegAsm.exe.10e0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x16e3:$x1: NanoCore.ClientPluginHost
      • 0x171c:$x2: IClientNetworkHost
      2.2.RegAsm.exe.10e0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x16e3:$x2: NanoCore.ClientPluginHost
      • 0x1800:$s4: PipeCreated
      • 0x16fd:$s5: IClientLoggingHost
      2.2.RegAsm.exe.1ee00000.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3d99:$x1: NanoCore.ClientPluginHost
      • 0x3db3:$x2: IClientNetworkHost
      Click to see the 47 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 920, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 920, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp', ProcessId: 5028

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: RegAsm.exe.4208.18.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["172.217.22.78"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: earthtradeint.duckdns.orgVirustotal: Detection: 8%Perma Link
      Source: earthtradeint.theworkpc.comVirustotal: Detection: 18%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeVirustotal: Detection: 13%Perma Link
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.1154177330.00000000209F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1218693426.0000000020D87000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.1154122755.000000001F9F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1212655450.0000000020770000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4208, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 920, type: MEMORY
      Source: Yara matchFile source: 2.2.RegAsm.exe.b80000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.RegAsm.exe.b80000.1.unpack, type: UNPACKEDPE

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: earthtradeint.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.5:49752 -> 23.105.131.240:53488
      Source: global trafficTCP traffic: 192.168.2.5:49756 -> 216.38.2.213:53488
      Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FF3612 WSARecv,
      Source: unknownDNS traffic detected: queries for: doc-0s-50-docs.googleusercontent.com
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
      Source: RegAsm.exe, 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
      Source: RegAsm.exe, 00000002.00000003.970114814.00000000012B1000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-50-docs.googleusercontent.com/
      Source: RegAsm.exe, 00000002.00000003.970114814.00000000012B1000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-50-docs.googleusercontent.com/7
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000002.00000003.970114814.00000000012B1000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/p5rub1r0
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-1s-docs.googleusercontent.co
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-1s-docs.googleusercontent.com/
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-1s-docs.googleusercontent.com/.
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-1s-docs.googleusercontent.com/biYh0Zi74qPl65cvTni6jCGdacaqXayF5RMwZ8fPj-Ca-ei_xN3HWGp
      Source: RegAsm.exe, 00000012.00000002.1147737276.0000000000F7D000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://doc-10-1s-docs.googleusercontent.com/docs/securesc/4qm4hu5jgk58a23dt2h2dqgte4hcmvrj/4u526l9o
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=g6iv5q7rcmsdm&continue=https://doc-10-1s-docs.googleuserco
      Source: RegAsm.exe, 00000002.00000002.1213110409.0000000001270000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
      Source: RegAsm.exe, 00000002.00000002.1212495804.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000012.00000002.1146276639.0000000000BC0000.00000040.00000001.sdmp, RegAsm.exe, 00000015.00000002.1208178726.0000000000980000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qj9DFF7ZxFPuLewUCJ-IeiklNfqzT_yd
      Source: RegAsm.exe, 00000002.00000002.1213110409.0000000001270000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qj9DFF7ZxFPuLewUCJ-IeiklNfqzT_ydD
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qj9DFF7ZxFPuLewUCJ-IeiklNfqzT_ydt
      Source: RegAsm.exe, 00000012.00000002.1147223957.0000000000EF0000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qj9DFF7ZxFPuLewUCJ-IeiklNfqzT_yd~z
      Source: RegAsm.exe, 00000002.00000003.970180445.00000000012E0000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.1147832172.0000000000F94000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758

      Source: wpasv.exe, 0000000B.00000002.884760824.0000000000C90000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegAsm.exe, 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.1154177330.00000000209F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1218693426.0000000020D87000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.1154122755.000000001F9F0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1212655450.0000000020770000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4208, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 920, type: MEMORY
      Source: Yara matchFile source: 2.2.RegAsm.exe.b80000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.RegAsm.exe.b80000.1.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.1214800432.000000001EE60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1212777513.00000000010D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214716983.000000001EE30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.1154177330.00000000209F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.1214498145.000000001EDB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1212803422.00000000010E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214548298.000000001EDD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.1154122755.000000001F9F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.1212079867.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214623740.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214438999.000000001ED90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.1212655450.0000000020770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.1214688733.000000001EE20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214525067.000000001EDC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.1214379709.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000003.1160351876.0000000021179000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 4208, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegAsm.exe PID: 920, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.RegAsm.exe.1ee20000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.10e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee00000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1edc0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1edd0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ede0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee60000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee20000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1edd0000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ed90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ed90000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1edb0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ede0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee00000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee60000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1edb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.10d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee30000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.10d0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.b80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.b80000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ed70000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ed70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.RegAsm.exe.1ee30000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0081F EnumWindows,NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F08EBE NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09398 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F094ED NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F008DD NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F008DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F094AE NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0947F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09449 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0982F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09412 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09800 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F095FA NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F009DC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F095C6 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0099C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0958C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09557 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0095F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00923 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0951D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F096F5 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F08EBC NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0969D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00A55 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0965A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09629 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00A0D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F093DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F093B3 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F097BC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0978A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09756 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09724 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FF1BB2 NtQuerySystemInformation,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FF1B77 NtQuerySystemInformation,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC081F EnumWindows,NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC8EBE NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9398 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC94AE NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC94ED NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC08DD NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC08DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC982F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9412 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9800 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC947F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9449 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC099C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC958C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC95FA NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC09DC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC95C6 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC0923 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC951D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC095F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9557 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC8EBC NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC969D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC96F5 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9629 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC0A0D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC965A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC0A55 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC97BC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC93B3 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC978A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC93DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9724 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_00BC9756 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098081F EnumWindows,NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00988EBE NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989398 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009894AE NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009808DD NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009808DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009894ED NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989412 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989800 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098982F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989449 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098947F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098099C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098958C NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009809DC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009895C6 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009895FA NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098951D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00980923 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098095F NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989557 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098969D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00988EBC NtProtectVirtualMemory,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009896F5 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00980A0D NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989629 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098965A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00980A55 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0098978A NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009897BC NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009893B3 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_009893DF NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989724 NtSetInformationThread,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00989756 NtSetInformationThread,
      Source: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeCode function: 0_2_0040D56C
      Source: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeCode function: 0_2_004015F4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FAF2BFA
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FB07AC6
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC223A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC22FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC2B2A8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC289D8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC29E80
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC2969F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC295D8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC23850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC2306F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_01FD01C8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21BB2FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21BB23A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21BB306F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21BB3850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_219723A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_21972FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_21973850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_2197306F
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Complexifyhalakistafladsbr.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe, 00000000.00000000.785330158.000000000042E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTRVLABORTEDHERMAICHYSTERO.exe vs SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe, 00000000.00000002.884064263.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTRVLABORTEDHERMAICHYSTERO.exeFE2XTassive wallTassive wall vs SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeBinary or memory string: OriginalFilenameTRVLABORTEDHERMAICHYSTERO.exe vs SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
      Source: 00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.1212528370.000000001F770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.1214800432.000000001EE60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214800432.000000001EE60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1212777513.00000000010D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1212777513.00000000010D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214716983.000000001EE30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214716983.000000001EE30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.1154177330.00000000209F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.1214498145.000000001EDB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214498145.000000001EDB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1212803422.00000000010E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1212803422.00000000010E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1212142372.0000000000B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214548298.000000001EDD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214548298.000000001EDD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.1154122755.000000001F9F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.1212079867.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1212079867.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214623740.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214623740.000000001EE00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214438999.000000001ED90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214438999.000000001ED90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.1212655450.0000000020770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.1214688733.000000001EE20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214688733.000000001EE20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214525067.000000001EDC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214525067.000000001EDC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.1214379709.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.1214379709.000000001ED70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000003.1160351876.0000000021179000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 4208, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegAsm.exe PID: 920, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.RegAsm.exe.1ee20000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee20000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.10e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.10e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee00000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee00000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.b60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1edc0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1edc0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1edd0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1edd0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ede0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ede0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee60000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee60000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee20000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee20000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1edd0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1edd0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ed90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ed90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ed90000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ed90000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1edb0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1edb0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ede0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ede0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee00000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee00000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee60000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee60000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1edb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1edb0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.10d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.10d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee30000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee30000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.10d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.10d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.b80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.b80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.b80000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.b80000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ed70000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ed70000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ed70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ed70000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.RegAsm.exe.1ee30000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.RegAsm.exe.1ee30000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@28/15@9/3
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FF1972 AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FF193B AdjustTokenPrivileges,
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\WPA ServiceJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\commercializesautochthoniJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4056:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{12914c67-748c-4941-871e-4d7a6023c53b}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1436.tmpJump to behavior
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeVirustotal: Detection: 13%
      Source: unknownProcess created: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1689.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\SWIFT_TRANSFERCOPY9379737368379TRVLABORTEDHERMAICHYSTERO.exe'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp1436.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1689.tmp'
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\commercializesautochthoni\Complexifyhalakistafladsbr.exe'
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1216441232.000000001FC30000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1216441232.000000001FC30000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1216441232.000000001FC30000.00000004.00000040.sdmp
      Source: Binary string: RegAsm.pdb source: wpasv.exe, wpasv.exe.2.dr
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmp
      Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000002.00000002.1216441232.000000001FC30000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 00000002.00000002.1214584763.000000001EDE0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 00000002.00000002.1216608303.000000001FD94000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Re