Loading ...

Play interactive tourEdit tour

Analysis Report Memo_pdf .scr

Overview

General Information

Sample Name:Memo_pdf .scr (renamed file extension from scr to exe)
Analysis ID:299297
MD5:5831d33bdea3450b0f41ca925c29389c
SHA1:b6188082b34f62187901d06153b01319a11c93b8
SHA256:cdfb21fdd2537b2422f693cf27d22e1a7a6b1f52e09a72499b731eea27040d45
Tags:GuLoaderscr

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Memo_pdf .exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\Memo_pdf .exe' MD5: 5831D33BDEA3450B0F41CA925C29389C)
    • RegAsm.exe (PID: 6516 cmdline: 'C:\Users\user\Desktop\Memo_pdf .exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 6532 cmdline: 'C:\Users\user\Desktop\Memo_pdf .exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4396 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 5060 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x3a75:$a: NanoCore
    • 0x3ace:$a: NanoCore
    • 0x3b0b:$a: NanoCore
    • 0x3b84:$a: NanoCore
    • 0x1722f:$a: NanoCore
    • 0x17244:$a: NanoCore
    • 0x17279:$a: NanoCore
    • 0x3021b:$a: NanoCore
    • 0x30230:$a: NanoCore
    • 0x30265:$a: NanoCore
    • 0x3ad7:$b: ClientPlugin
    • 0x3b14:$b: ClientPlugin
    • 0x4412:$b: ClientPlugin
    • 0x441f:$b: ClientPlugin
    • 0x16feb:$b: ClientPlugin
    • 0x17006:$b: ClientPlugin
    • 0x17036:$b: ClientPlugin
    • 0x1724d:$b: ClientPlugin
    • 0x17282:$b: ClientPlugin
    • 0x2ffd7:$b: ClientPlugin
    • 0x2fff2:$b: ClientPlugin
    00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RegAsm.exe.20110000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      5.2.RegAsm.exe.20110000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      5.2.RegAsm.exe.20730000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      5.2.RegAsm.exe.20730000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      5.2.RegAsm.exe.20730000.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 3 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 6532, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Memo_pdf .exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 6532, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp', ProcessId: 4396

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: https://noticeartist.com/raba/Nano_OJwDYAfnUa107.binAvira URL Cloud: Label: malware
        Multi AV Scanner detection for submitted fileShow sources
        Source: Memo_pdf .exeReversingLabs: Detection: 16%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6532, type: MEMORY
        Source: Yara matchFile source: 5.2.RegAsm.exe.20730000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.20730000.5.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Memo_pdf .exeJoe Sandbox ML: detected

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: raba1.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49729 -> 79.134.225.11:9036
        Source: Joe Sandbox ViewIP Address: 79.134.225.11 79.134.225.11
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: noticeartist.com
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: RegAsm.exe, 00000005.00000002.498325423.00000000014E6000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencr
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
        Source: RegAsm.exe, 00000005.00000002.498325423.00000000014E6000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
        Source: RegAsm.exe, 00000005.00000002.498325423.00000000014E6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
        Source: RegAsm.exe, 00000005.00000002.498262878.000000000149B000.00000004.00000020.sdmpString found in binary or memory: https://noticeartist.com/
        Source: RegAsm.exe, 00000005.00000002.498262878.000000000149B000.00000004.00000020.sdmpString found in binary or memory: https://noticeartist.com/$
        Source: RegAsm.exe, 00000005.00000002.497890280.0000000001100000.00000040.00000001.sdmpString found in binary or memory: https://noticeartist.com/raba/Nano_OJwDYAfnUa107.bin
        Source: RegAsm.exe, 00000005.00000002.498262878.000000000149B000.00000004.00000020.sdmpString found in binary or memory: https://noticeartist.com/raba/Nano_OJwDYAfnUa107.binO
        Source: RegAsm.exe, 00000005.00000003.354155694.00000000014CB000.00000004.00000001.sdmpString found in binary or memory: https://noticeartist.com/raba/Nano_OJwDYAfnUa107.binP
        Source: RegAsm.exe, 00000005.00000003.354155694.00000000014CB000.00000004.00000001.sdmpString found in binary or memory: https://noticeartist.com/raba/Nano_OJwDYAfnUa107.binile
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: Memo_pdf .exe, 00000001.00000002.295353998.00000000007DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: RegAsm.exe, 00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6532, type: MEMORY
        Source: Yara matchFile source: 5.2.RegAsm.exe.20730000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.20730000.5.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.503825718.0000000020110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 6532, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.20110000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.20730000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.20730000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Memo_pdf .exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110057A EnumWindows,NtSetInformationThread,5_2_0110057A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011065BC NtSetInformationThread,5_2_011065BC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011073E5 NtProtectVirtualMemory,5_2_011073E5
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01106269 NtSetInformationThread,LoadLibraryA,5_2_01106269
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011078AD NtSetInformationThread,5_2_011078AD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110071D NtSetInformationThread,5_2_0110071D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110495F NtSetInformationThread,5_2_0110495F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01107D7A NtSetInformationThread,5_2_01107D7A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01107D8D NtSetInformationThread,5_2_01107D8D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110398E NtSetInformationThread,5_2_0110398E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011079B3 NtSetInformationThread,5_2_011079B3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011005B4 NtSetInformationThread,5_2_011005B4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011039AF NtSetInformationThread,5_2_011039AF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01107DAF NtSetInformationThread,5_2_01107DAF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01107BF9 NtSetInformationThread,5_2_01107BF9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01100617 NtSetInformationThread,5_2_01100617
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01103805 NtSetInformationThread,5_2_01103805
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110780C NtProtectVirtualMemory,5_2_0110780C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01103833 NtSetInformationThread,5_2_01103833
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01103665 NtSetInformationThread,5_2_01103665
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01107A9A NtSetInformationThread,5_2_01107A9A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011078C8 NtSetInformationThread,5_2_011078C8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FF2152A NtQuerySystemInformation,5_2_1FF2152A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FF214EF NtQuerySystemInformation,5_2_1FF214EF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1DAE7ABE5_2_1DAE7ABE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB2FA85_2_1FEB2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB23A05_2_1FEB23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEBAF885_2_1FEBAF88
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB86B85_2_1FEB86B8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB92B85_2_1FEB92B8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB9B605_2_1FEB9B60
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB937F5_2_1FEB937F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB306F5_2_1FEB306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FEB38505_2_1FEB3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_04AE01B718_2_04AE01B7
        Source: Memo_pdf .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Memo_pdf .exe, 00000001.00000000.233391573.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameforcing.exe vs Memo_pdf .exe
        Source: Memo_pdf .exe, 00000001.00000002.295304911.0000000000730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Memo_pdf .exe
        Source: Memo_pdf .exeBinary or memory string: OriginalFilenameforcing.exe vs Memo_pdf .exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 00000005.00000002.503340291.000000001ED47000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.504267732.0000000020730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.503825718.0000000020110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.503825718.0000000020110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: RegAsm.exe PID: 6532, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.20110000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.20110000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.20730000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.20730000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.20730000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.20730000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@11/5@20/2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FF212EA AdjustTokenPrivileges,5_2_1FF212EA
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FF212B3 AdjustTokenPrivileges,5_2_1FF212B3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{af389471-d32b-4766-99f2-9718e8e07379}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7ED7.tmpJump to behavior
        Source: Memo_pdf .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Memo_pdf .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Memo_pdf .exeReversingLabs: Detection: 16%
        Source: unknownProcess created: C:\Users\user\Desktop\Memo_pdf .exe 'C:\Users\user\Desktop\Memo_pdf .exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe' Jump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe' Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: C:\Windows\exe\RegAsm.pdb source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: indows\RegAsm.pdbpdbAsm.pdbUs source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\RegAsm.pdb| source: RegAsm.exe, 00000005.00000002.502934391.000000001DBD5000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000005.00000002.503945217.0000000020340000.00000002.00000001.sdmp
        Source: Memo_pdf .exeStatic PE information: real checksum: 0x18418 should be: 0x1134a
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_0040323D push edi; retf 1_2_00403240
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_00406EEC pushfd ; ret 1_2_00406EEE
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_00773478 push eax; ret 1_2_0077347E
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_00773665 push eax; ret 1_2_00773666
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_007744F1 push esi; iretd 1_2_007744F2
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_007744F9 push edi; retf 1_2_007744FA
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_0077109C push eax; retf 1_2_0077109E
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_0077516E push ecx; ret 1_2_00775198
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_0077236B push eax; retf 1_2_00772379
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_00771137 push eax; retf 1_2_0077113E
        Source: C:\Users\user\Desktop\Memo_pdf .exeCode function: 1_2_00775D04 push eax; retf 1_2_00775D06
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01105325 pushad ; ret 5_2_01105339
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01105225 pushad ; ret 5_2_01105239
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1DAE74AC push ecx; ret 5_2_1DAE74AD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1DAE74B8 push ebp; ret 5_2_1DAE74B9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1DAE9D46 push eax; retf 5_2_1DAE9D55
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1DAE9D58 pushad ; retf 5_2_1DAE9D59
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_008F27D0 push cs; ret 18_2_008F27D6

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\Memo_pdf .exeRDTSC instruction interceptor: First address: 000000000077396F second address: 000000000077396F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FBC08B114C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test ah, bh 0x00000021 test bl, dl 0x00000023 pop ecx 0x00000024 test dl, cl 0x00000026 cmp bx, F3EAh 0x0000002b add edi, edx 0x0000002d dec ecx 0x0000002e cmp di, 286Ch 0x00000033 cmp ecx, 00000000h 0x00000036 jne 00007FBC08B114A1h 0x00000038 push ecx 0x00000039 cmp al, bl 0x0000003b call 00007FBC08B115E9h 0x00000040 call 00007FBC08B114DAh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Memo_pdf .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: RegAsm.exe, 00000005.00000002.497890280.0000000001100000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Memo_pdf .exeRDTSC instruction interceptor: First address: 0000000000770514 second address: 000000000077396F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007FBC08762FA8h 0x00000008 call 00007FBC0875F994h 0x0000000d xor edi, edi 0x0000000f mov ecx, 00A95F60h 0x00000014 nop 0x00000015 push ecx 0x00000016 cmp al, bl 0x00000018 call 00007FBC0875FC39h 0x0000001d call 00007FBC0875FB2Ah 0x00000022 lfence 0x00000025 mov edx, dword ptr [7FFE0014h] 0x0000002b lfence 0x0000002e ret 0x0000002f mov esi, edx 0x00000031 pushad 0x00000032 rdtsc
        Source: C:\Users\user\Desktop\Memo_pdf .exeRDTSC instruction interceptor: First address: 000000000077396F second address: 000000000077396F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FBC08B114C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test ah, bh 0x00000021 test bl, dl 0x00000023 pop ecx 0x00000024 test dl, cl 0x00000026 cmp bx, F3EAh 0x0000002b add edi, edx 0x0000002d dec ecx 0x0000002e cmp di, 286Ch 0x00000033 cmp ecx, 00000000h 0x00000036 jne 00007FBC08B114A1h 0x00000038 push ecx 0x00000039 cmp al, bl 0x0000003b call 00007FBC08B115E9h 0x00000040 call 00007FBC08B114DAh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
        Source: C:\Users\user\Desktop\Memo_pdf .exeRDTSC instruction interceptor: First address: 0000000000773B71 second address: 0000000000773B71 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FBC0876283Ah 0x0000001f popad 0x00000020 call 00007FBC0875FB21h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001103B71 second address: 0000000001103B71 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FBC08B141EAh 0x0000001f popad 0x00000020 call 00007FBC08B114D1h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01100529 rdtsc 5_2_01100529
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 981Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 688Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 900Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4872Thread sleep time: -220000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_1FF21012 GetSystemInfo,5_2_1FF21012
        Source: RegAsm.exe, 00000005.00000002.504889736.0000000020C30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RegAsm.exe, 00000005.00000003.354174347.00000000014E6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: RegAsm.exe, 00000005.00000002.504889736.0000000020C30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegAsm.exe, 00000005.00000002.504889736.0000000020C30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RegAsm.exe, 00000005.00000002.497890280.0000000001100000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: RegAsm.exe, 00000005.00000002.504889736.0000000020C30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110057A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,00000004,00000000,000000005_2_0110057A
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Memo_pdf .exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01100529 rdtsc 5_2_01100529
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01104A49 LdrInitializeThunk,5_2_01104A49
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011065BC mov eax, dword ptr fs:[00000030h]5_2_011065BC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011026CB mov eax, dword ptr fs:[00000030h]5_2_011026CB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_0110237C mov eax, dword ptr fs:[00000030h]5_2_0110237C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01106E59 mov eax, dword ptr fs:[00000030h]5_2_01106E59
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01106044 mov eax, dword ptr fs:[00000030h]5_2_01106044
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_01101CBC mov eax, dword ptr fs:[00000030h]5_2_01101CBC
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_011036A0 mov eax, dword ptr fs:[00000030h]5_2_011036A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Memo_pdf .exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000Jump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe' Jump to behavior
        Source: C:\Users\user\Desktop\Memo_pdf .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Memo_pdf .exe' Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7ED7.tmp'Jump to behavior
        Source: RegAsm.exe, 00000005.00000002.503068984.000000001DD8E000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000005.00000002.498697919.0000000001960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000005.00000002.498413031.0000000001536000.00000004.00000020.sdmpBinary or memory string: rsion=2.0.0.Program Manager
        Source: RegAsm.exe, 00000005.00000002.498697919.0000000001960000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000005.00000002.498697919.0000000001960000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: RegAsm.exe, 00000005.00000002.498697919.0000000001960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: RegAsm.exe, 00000005.00000002.498697919.0000000001960000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegAsm.exe, 00000005.00000002.504474207.00000000208B9000.00000004.00000001.sdmpBinary or memory string: Program Managersoft.NET\Framework\v2.0.50727\RegAsm.exe