Loading ...

Play interactive tourEdit tour

Analysis Report New-OrderContract03939380397803893098983astrofysikerensorganis.exe

Overview

General Information

Sample Name:New-OrderContract03939380397803893098983astrofysikerensorganis.exe
MD5:ccb19a7188b7d6b75f8966b41f9fadad
SHA1:2f99b8a88fcbba3c6e3fef047ade77d0e80537fc
SHA256:2277b0cb81fa6b6e3c600e60d1cd3b7e819e59d6a71237272070b61ce87d7e11

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Yara detected Nanocore RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Domain name seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New-OrderContract03939380397803893098983astrofysikerensorganis.exe (PID: 4080 cmdline: 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe' MD5: CCB19A7188B7D6B75F8966B41F9FADAD)
    • RegAsm.exe (PID: 5796 cmdline: 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1348 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4316 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp24B0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 2444 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wpasv.exe (PID: 4936 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Clubhaulspunchayetj2.exe (PID: 6040 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: CCB19A7188B7D6B75F8966B41F9FADAD)
    • RegAsm.exe (PID: 5464 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wpasv.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Clubhaulspunchayetj2.exe (PID: 3496 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: CCB19A7188B7D6B75F8966B41F9FADAD)
    • RegAsm.exe (PID: 4444 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 4340 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 6060 cmdline: 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["311.10.3.46:09", "255.255.255.255", "23.105.131.240", "172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1478995088.0000000000F00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000010.00000002.1468608171.0000000000E00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.RegAsm.exe.22570000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        2.2.RegAsm.exe.22570000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        2.2.RegAsm.exe.22810000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        2.2.RegAsm.exe.22810000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        2.2.RegAsm.exe.22810000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 3 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5796, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 5796, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp', ProcessId: 1348

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: RegAsm.exe.5464.16.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["311.10.3.46:09", "255.255.255.255", "23.105.131.240", "172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: earthtradeint.duckdns.orgVirustotal: Detection: 8%Perma Link
          Source: earthtradeint.theworkpc.comVirustotal: Detection: 18%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeVirustotal: Detection: 34%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exeVirustotal: Detection: 34%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1474767948.000000001FC90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1486744657.0000000020DB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1475004621.0000000020C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5796, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.22810000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.22810000.6.raw.unpack, type: UNPACKEDPE

          Networking:

          barindex
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: earthtradeint.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.6:49945 -> 23.105.131.240:53488
          Source: global trafficTCP traffic: 192.168.2.6:49952 -> 216.38.2.213:53488
          Source: Joe Sandbox ViewDomain Name: earthtradeint.duckdns.org earthtradeint.duckdns.org
          Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS traffic detected: queries for: doc-04-54-docs.googleusercontent.com
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: RegAsm.exe, 00000002.00000003.1175816278.00000000011E7000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
          Source: RegAsm.exe, 00000002.00000002.1479851284.00000000011E3000.00000004.00000020.sdmpString found in binary or memory: https://doc-04-54-docs.googleusercontent.com/docs/securesc/7448b6q78tipvgksrv0g7haa8csaak8p/k26r94oj
          Source: RegAsm.exe, 00000002.00000002.1479851284.00000000011E3000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=qbk8efmg90u7k&continue=https://doc-04-54-docs.googleuserco
          Source: RegAsm.exe, 00000002.00000002.1478995088.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000010.00000002.1468608171.0000000000E00000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1SoIaoq6aGxzH3rhhZND2umDWmGj1bHpz
          Source: RegAsm.exe, 00000002.00000002.1479779670.00000000011C0000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
          Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943

          Source: wpasv.exe, 00000009.00000002.1192163065.00000000006F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: RegAsm.exe, 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1474767948.000000001FC90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1486744657.0000000020DB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1475004621.0000000020C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5796, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.22810000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.22810000.6.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.1474767948.000000001FC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000002.00000002.1488353813.0000000022570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000002.00000002.1486744657.0000000020DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.1475004621.0000000020C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegAsm.exe PID: 5796, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 2.2.RegAsm.exe.22570000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.RegAsm.exe.22810000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 2.2.RegAsm.exe.22810000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New-OrderContract03939380397803893098983astrofysikerensorganis.exe
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeCode function: 0_2_021B0A5A NtSetInformationThread,0_2_021B0A5A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09AC0 NtSetInformationThread,2_2_00F09AC0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F006CB EnumWindows,NtSetInformationThread,LdrInitializeThunk,2_2_00F006CB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09679 NtProtectVirtualMemory,2_2_00F09679
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F008D1 NtSetInformationThread,2_2_00F008D1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09CD4 NtSetInformationThread,2_2_00F09CD4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09CA8 NtSetInformationThread,2_2_00F09CA8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0089C NtSetInformationThread,2_2_00F0089C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09C78 NtSetInformationThread,2_2_00F09C78
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00864 NtSetInformationThread,2_2_00F00864
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09C30 NtSetInformationThread,2_2_00F09C30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00808 NtSetInformationThread,2_2_00F00808
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F0080A NtSetInformationThread,2_2_00F0080A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F009E5 NtSetInformationThread,2_2_00F009E5
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F009B0 NtSetInformationThread,2_2_00F009B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09DBC NtSetInformationThread,2_2_00F09DBC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00975 NtSetInformationThread,2_2_00F00975
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09D42 NtSetInformationThread,2_2_00F09D42
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00939 NtSetInformationThread,2_2_00F00939
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00904 NtSetInformationThread,2_2_00F00904
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09D04 NtSetInformationThread,2_2_00F09D04
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09ADC NtSetInformationThread,2_2_00F09ADC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09EA0 NtSetInformationThread,2_2_00F09EA0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09E68 NtSetInformationThread,2_2_00F09E68
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09E34 NtSetInformationThread,2_2_00F09E34
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F00A28 NtSetInformationThread,2_2_00F00A28
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09E06 NtSetInformationThread,2_2_00F09E06
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09BFC NtSetInformationThread,2_2_00F09BFC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09BCD NtSetInformationThread,2_2_00F09BCD
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09B9C NtSetInformationThread,2_2_00F09B9C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09B70 NtSetInformationThread,2_2_00F09B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09B3E NtSetInformationThread,2_2_00F09B3E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F09B09 NtSetInformationThread,2_2_00F09B09
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FB1BB2 NtQuerySystemInformation,2_2_21FB1BB2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FB1B77 NtQuerySystemInformation,2_2_21FB1B77
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_02090979 NtSetInformationThread,15_2_02090979
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09AC0 NtSetInformationThread,16_2_00E09AC0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E006CB EnumWindows,NtSetInformationThread,LdrInitializeThunk,16_2_00E006CB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09679 NtProtectVirtualMemory,16_2_00E09679
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E008D1 NtSetInformationThread,16_2_00E008D1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09CD4 NtSetInformationThread,16_2_00E09CD4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09CA8 NtSetInformationThread,16_2_00E09CA8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E0089C NtSetInformationThread,16_2_00E0089C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00864 NtSetInformationThread,16_2_00E00864
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09C78 NtSetInformationThread,16_2_00E09C78
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09C30 NtSetInformationThread,16_2_00E09C30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00808 NtSetInformationThread,16_2_00E00808
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E0080A NtSetInformationThread,16_2_00E0080A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E009E5 NtSetInformationThread,16_2_00E009E5
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E009B0 NtSetInformationThread,16_2_00E009B0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09DBC NtSetInformationThread,16_2_00E09DBC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00975 NtSetInformationThread,16_2_00E00975
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09D42 NtSetInformationThread,16_2_00E09D42
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00939 NtSetInformationThread,16_2_00E00939
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00904 NtSetInformationThread,16_2_00E00904
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09D04 NtSetInformationThread,16_2_00E09D04
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09ADC NtSetInformationThread,16_2_00E09ADC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09EA0 NtSetInformationThread,16_2_00E09EA0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09E68 NtSetInformationThread,16_2_00E09E68
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E00A28 NtSetInformationThread,16_2_00E00A28
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09E34 NtSetInformationThread,16_2_00E09E34
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09E06 NtSetInformationThread,16_2_00E09E06
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09BFC NtSetInformationThread,16_2_00E09BFC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09BCD NtSetInformationThread,16_2_00E09BCD
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09B9C NtSetInformationThread,16_2_00E09B9C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09B70 NtSetInformationThread,16_2_00E09B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09B3E NtSetInformationThread,16_2_00E09B3E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E09B09 NtSetInformationThread,16_2_00E09B09
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeCode function: 0_2_004015FC0_2_004015FC
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FAC7AC62_2_1FAC7AC6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FC60DB92_2_1FC60DB9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E989D82_2_21E989D8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E92FA82_2_21E92FA8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E923A02_2_21E923A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E9B2A82_2_21E9B2A8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E995D82_2_21E995D8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E9306F2_2_21E9306F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E938502_2_21E93850
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21E9969F2_2_21E9969F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_02D001C88_2_02D001C8
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 9_2_047901B79_2_047901B7
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 13_2_012F01C813_2_012F01C8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_21DD2FA816_2_21DD2FA8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_21DD23A016_2_21DD23A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_21DD385016_2_21DD3850
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_21DD306F16_2_21DD306F
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Clubhaulspunchayetj2.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exe, 00000000.00000002.1186708552.0000000002220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameastrofysikerensorganis.exeFE2XTassive wallTassive wall vs New-OrderContract03939380397803893098983astrofysikerensorganis.exe
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exe, 00000000.00000002.1186649524.00000000021A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New-OrderContract03939380397803893098983astrofysikerensorganis.exe
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exe, 00000000.00000000.1052376688.000000000042E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameastrofysikerensorganis.exe vs New-OrderContract03939380397803893098983astrofysikerensorganis.exe
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exeBinary or memory string: OriginalFilenameastrofysikerensorganis.exe vs New-OrderContract03939380397803893098983astrofysikerensorganis.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
          Source: 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000002.1488436912.0000000022810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000010.00000002.1474767948.000000001FC90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000002.00000002.1488353813.0000000022570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000002.00000002.1488353813.0000000022570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000002.00000002.1486744657.0000000020DB7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.1475004621.0000000020C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegAsm.exe PID: 5796, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 2.2.RegAsm.exe.22570000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.RegAsm.exe.22570000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.RegAsm.exe.22810000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.RegAsm.exe.22810000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.RegAsm.exe.22810000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 2.2.RegAsm.exe.22810000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@28/11@9/3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FB1972 AdjustTokenPrivileges,2_2_21FB1972
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_21FB193B AdjustTokenPrivileges,2_2_21FB193B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E07CE0 LockResource,16_2_00E07CE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\WPA ServiceJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\BhersbelbsfelternelstrJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{12914c67-748c-4941-871e-4d7a6023c53b}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp22E9.tmpJump to behavior
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: New-OrderContract03939380397803893098983astrofysikerensorganis.exeVirustotal: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp24B0.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
          Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe' 0
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Program Files (x86)\WPA Service\wpasv.exe 'C:\Program Files (x86)\WPA Service\wpasv.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exe' Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp'Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp24B0.tmp'Jump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' Jump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' Jump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' Jump to behavior
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exe' Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1484595304.000000001FB90000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1484595304.000000001FB90000.00000004.00000040.sdmp
          Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.1479940007.000000000120E000.00000004.00000020.sdmp
          Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.1484595304.000000001FB90000.00000004.00000040.sdmp
          Source: Binary string: RegAsm.pdb source: wpasv.exe, wpasv.exe.2.dr
          Source: Binary string: !9\mscorlib.pdb S source: RegAsm.exe, 00000002.00000002.1479896475.00000000011F5000.00000004.00000020.sdmp
          Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000002.00000002.1484595304.000000001FB90000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\RegAsm.pdbw source: RegAsm.exe, 00000002.00000002.1484595304.000000001FB90000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000002.00000002.1488184893.0000000022510000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: 00000002.00000002.1478995088.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.1468608171.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5796, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5464, type: MEMORY
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeCode function: 0_2_004015FC push esi; retf 0001h0_2_00403ABD
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeCode function: 0_2_0040DB62 push cs; retf 0_2_0040DB68
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F038B9 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F01421 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F01577 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F03936 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F013E1 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_00F013A6 push esp; retn 47BCh2_2_00F05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FAC9D7E pushad ; retf 2_2_1FAC9D81
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FAC9D7A push eax; retf 2_2_1FAC9D7D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FACCB10 push edx; ret 2_2_1FACCB63
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 2_2_1FACCB64 push edx; ret 2_2_1FACCB63
          Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 9_2_006EA120 push 75FBCFE8h; iretd 9_2_006EA19D
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_02093803 push esi; retf 15_2_02093935
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_02093010 push esi; retf 15_2_02093011
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_02091465 push esi; retf 15_2_020915F5
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_02092489 push esi; iretd 15_2_020924BD
          Source: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeCode function: 15_2_0209417B push esi; retf 15_2_02094239
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E038B9 push esp; retn 47BCh16_2_00E05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E01421 push esp; retn 47BCh16_2_00E05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E01577 push esp; retn 47BCh16_2_00E05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E03936 push esp; retn 47BCh16_2_00E05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E013E1 push esp; retn 47BCh16_2_00E05946
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00E013A6 push esp; retn 47BCh16_2_00E05946

          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\WPA Service\wpasv.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Bhersbelbsfelternelstr\Clubhaulspunchayetj2.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E9.tmp'
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce StrafferetligecalmetteJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce StrafferetligecalmetteJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce StrafferetligecalmetteJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce StrafferetligecalmetteJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New-OrderContract03939380397803893098983astrofysikerensorganis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX