Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PackedNET.362.7860.17521

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PackedNET.362.7860.17521 (renamed file extension from 17521 to exe)
Analysis ID:255707
MD5:be46a654b9b6fef849466ea92d54cc1b
SHA1:380d5b896297a83dc3c3ad6a86c6f9eeaa72fdd7
SHA256:3dc9838107abe50dfcd90972d2e1a5a8e2aa6e735723fa635927bd4ddb790e81

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.PackedNET.362.7860.exe (PID: 6944 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exe' MD5: BE46A654B9B6FEF849466EA92D54CC1B)
    • RegAsm.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.12:1996", "79.134.225.12"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x96cdd:$x1: NanoCore.ClientPluginHost
  • 0x96d1a:$x2: IClientNetworkHost
  • 0x9a84d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x96a45:$a: NanoCore
    • 0x96a55:$a: NanoCore
    • 0x96c89:$a: NanoCore
    • 0x96c9d:$a: NanoCore
    • 0x96cdd:$a: NanoCore
    • 0x96aa4:$b: ClientPlugin
    • 0x96ca6:$b: ClientPlugin
    • 0x96ce6:$b: ClientPlugin
    • 0x96bcb:$c: ProjectData
    • 0x975d2:$d: DESCrypto
    • 0x9ef9e:$e: KeepAlive
    • 0x9cf8c:$g: LogClientMessage
    • 0x99187:$i: get_Connected
    • 0x97908:$j: #=q
    • 0x97938:$j: #=q
    • 0x97954:$j: #=q
    • 0x97984:$j: #=q
    • 0x979a0:$j: #=q
    • 0x979bc:$j: #=q
    • 0x979ec:$j: #=q
    • 0x97a08:$j: #=q
    00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x3964d:$x1: NanoCore.ClientPluginHost
    • 0x3968a:$x2: IClientNetworkHost
    • 0x3d1bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        2.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 3 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6980, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: RegAsm.exe.6980.2.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.12:1996", "79.134.225.12"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORY
        Source: Yara matchFile source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeJoe Sandbox ML: detected
        Source: global trafficTCP traffic: 192.168.2.4:49712 -> 79.134.225.12:1996
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.12
        Source: unknownDNS traffic detected: queries for: mogs20.hopto.org
        Source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: RegAsm.exe, 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORY
        Source: Yara matchFile source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41D7F NtOpenFile,NtCreateFile,NtWriteFile,1_2_02C41D7F
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41C09 NtDelayExecution,1_2_02C41C09
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C400AD NtOpenSection,NtMapViewOfSection,1_2_02C400AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,1_2_02C41C2B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02CE00AD NtOpenSection,NtMapViewOfSection,1_2_02CE00AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02CE1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,1_2_02CE1C09
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_00959B1D1_2_00959B1D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_0095C88B1_2_0095C88B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_011709001_2_01170900
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_011708F01_2_011708F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0131E4712_2_0131E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0131E4802_2_0131E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0131BBD42_2_0131BBD4
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HJdyTuap.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270573690.0000000006010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.PackedNET.362.7860.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: HJdyTuap.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@3/3@12/1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{610a4fc8-16e9-4c97-b0a7-ec2ef0b6bea6}
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_0095DA45 push es; iretd 1_2_0095DBE4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_0095E4FA push ss; retn 0005h1_2_0095E604
        Source: initial sampleStatic PE information: section name: .text entropy: 7.77941558111
        Source: initial sampleStatic PE information: section name: .text entropy: 7.77941558111
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 2.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the startup folderShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5899Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3528Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 635Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 813Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exe TID: 6964Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7084Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270573690.0000000006010000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270573690.0000000006010000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270573690.0000000006010000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270573690.0000000006010000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C401CB mov eax, dword ptr fs:[00000030h]1_2_02C401CB
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41D7F mov eax, dword ptr fs:[00000030h]1_2_02C41D7F
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41D7F mov eax, dword ptr fs:[00000030h]1_2_02C41D7F
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C400AD mov ecx, dword ptr fs:[00000030h]1_2_02C400AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C400AD mov eax, dword ptr fs:[00000030h]1_2_02C400AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02C41C2B mov eax, dword ptr fs:[00000030h]1_2_02C41C2B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02CE00AD mov ecx, dword ptr fs:[00000030h]1_2_02CE00AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02CE00AD mov eax, dword ptr fs:[00000030h]1_2_02CE00AD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeCode function: 1_2_02CE01CB mov eax, dword ptr fs:[00000030h]1_2_02CE01CB
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: RegAsm.exe, 00000002.00000002.505411141.00000000031C0000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000002.00000002.505476970.00000000031C8000.00000004.00000001.sdmpBinary or memory string: Program ManagerXZ
        Source: RegAsm.exe, 00000002.00000002.502461533.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000002.00000002.502461533.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000002.00000002.502737398.0000000002BDD000.00000004.00000001.sdmpBinary or memory string: Program Manager (
        Source: RegAsm.exe, 00000002.00000002.502461533.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegAsm.exe, 00000002.00000002.502461533.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Program Manager[
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.362.7860.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.264739949.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.261068381.0000000000FAF000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.507831927.0000000003F71000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe PID: 6944, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6980, type: MEMORY
        Source: Yara matchFile source: 1.2.SecuriteInfo.com.Trojan.PackedNET.362.7860.exe.5e90000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: SecuriteInfo.com.Trojan.PackedNET.362.7860.exe, 00000001.00000002.270335180.0000000005E92000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000002.00000002.499051145.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: RegAsm.exe, 00000002.00000002.503175832.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicr