Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DHL#DOCUMENTS001010.PDF.exe

Overview

General Information

Sample Name:DHL#DOCUMENTS001010.PDF.exe
Analysis ID:431780
MD5:b7fece0a9529306a2644ce102fe2d86a
SHA1:767fcf70a98dd70d9035dfe4fcca04e17cdebfde
SHA256:f9284667090735eccb6110c4c9e33122890570b6f10798ef57370740c4d9db6d
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL#DOCUMENTS001010.PDF.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
    • RegAsm.exe (PID: 7020 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bhjhjkek.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Local\bhjhjkek.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
    • RegAsm.exe (PID: 5868 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • bhjhjkek.exe (PID: 5456 cmdline: 'C:\Users\user\AppData\Local\bhjhjkek.exe' MD5: B7FECE0A9529306A2644CE102FE2D86A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
DHL#DOCUMENTS001010.PDF.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\bhjhjkek.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xff8d:$x1: NanoCore.ClientPluginHost
          • 0xffca:$x2: IClientNetworkHost
          • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
            • 0xfcf5:$a: NanoCore
            • 0xfd05:$a: NanoCore
            • 0xff39:$a: NanoCore
            • 0xff4d:$a: NanoCore
            • 0xff8d:$a: NanoCore
            • 0xfd54:$b: ClientPlugin
            • 0xff56:$b: ClientPlugin
            • 0xff96:$b: ClientPlugin
            • 0xfe7b:$c: ProjectData
            • 0x10882:$d: DESCrypto
            • 0x1824e:$e: KeepAlive
            • 0x1623c:$g: LogClientMessage
            • 0x12437:$i: get_Connected
            • 0x10bb8:$j: #=q
            • 0x10be8:$j: #=q
            • 0x10c04:$j: #=q
            • 0x10c34:$j: #=q
            • 0x10c50:$j: #=q
            • 0x10c6c:$j: #=q
            • 0x10c9c:$j: #=q
            • 0x10cb8:$j: #=q
            Click to see the 112 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xe0f5:$a: NanoCore
              • 0xe105:$a: NanoCore
              • 0xe339:$a: NanoCore
              • 0xe34d:$a: NanoCore
              • 0xe38d:$a: NanoCore
              • 0xe154:$b: ClientPlugin
              • 0xe356:$b: ClientPlugin
              • 0xe396:$b: ClientPlugin
              • 0xe27b:$c: ProjectData
              • 0xec82:$d: DESCrypto
              • 0x1664e:$e: KeepAlive
              • 0x1463c:$g: LogClientMessage
              • 0x10837:$i: get_Connected
              • 0xefb8:$j: #=q
              • 0xefe8:$j: #=q
              • 0xf004:$j: #=q
              • 0xf034:$j: #=q
              • 0xf050:$j: #=q
              • 0xf06c:$j: #=q
              • 0xf09c:$j: #=q
              • 0xf0b8:$j: #=q
              11.2.RegAsm.exe.68d0000.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0x2dbb:$x1: NanoCore.ClientPluginHost
              • 0x2de5:$x2: IClientNetworkHost
              Click to see the 242 entries

              Sigma Overview

              AV Detection:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary:

              barindex
              Sigma detected: Possible Applocker BypassShow sources
              Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, CommandLine|base64offset|contains: 8c, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe' , ParentImage: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk, ProcessId: 7020

              Stealing of Sensitive Information:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 7020, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: startedhere.ddns.netVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeVirustotal: Detection: 44%Perma Link
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMetadefender: Detection: 22%Perma Link
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeReversingLabs: Detection: 31%
              Multi AV Scanner detection for submitted fileShow sources
              Source: DHL#DOCUMENTS001010.PDF.exeVirustotal: Detection: 44%Perma Link
              Source: DHL#DOCUMENTS001010.PDF.exeMetadefender: Detection: 22%Perma Link
              Source: DHL#DOCUMENTS001010.PDF.exeReversingLabs: Detection: 31%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: DHL#DOCUMENTS001010.PDF.exeJoe Sandbox ML: detected
              Source: 11.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 19.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.2.RegAsm.exe.5dd0000.19.unpackAvira: Label: TR/NanoCore.fadte
              Source: 19.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 11.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 19.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.919538476.00000000009A2000.00000002.00020000.sdmp, RegAsm.exe, 00000013.00000000.902750258.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 23.105.131.142:2092
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: startedhere.ddns.net
              Source: Malware configuration extractorURLs: 23.105.131.142
              Source: global trafficTCP traffic: 192.168.2.4:49765 -> 23.105.131.142:2092
              Source: Joe Sandbox ViewIP Address: 23.105.131.142 23.105.131.142
              Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://google.com
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.digicert.com0N
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: DHL#DOCUMENTS001010.PDF.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766910530.0000000001368000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: RegAsm.exe, 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.2ea4f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.2eb1188.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.2e79fc4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_01691760
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_01691751
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_01691737
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_01691B90
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D2D03
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D0BE8
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D0B68
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_0585F400
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_05850040
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_0585ED78
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_058566B0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A3DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B41870
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B342EB
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06B346D3
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0E480
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0E471
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_02E0BBD4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618E7E8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618F400
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06186F50
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618F4BE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_061883F8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_061880C0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0618817E
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B91B90
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B91760
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B91751
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F0BD8
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F2CF2
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F0B58
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_0539F400
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_0539ED78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_05390040
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_053966B0
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91B81
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91B90
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91751
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C91760
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0F400
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D00040
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D00007
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D09D78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0ED78
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D066B0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B53DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBE480
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBE471
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_02EBBBD4
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: invalid certificate
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: bhjhjkek.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.770887180.00000000056D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZqwmuuf.dll" vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766910530.0000000001368000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767279106.00000000030C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767287047.00000000030D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.766555386.0000000000D2E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaajfkfkf.exe4 vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.770386723.0000000005610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.768281438.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScokftdv.dll2 vs DHL#DOCUMENTS001010.PDF.exe
              Source: DHL#DOCUMENTS001010.PDF.exeBinary or memory string: OriginalFilenameaajfkfkf.exe4 vs DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68d0000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6b30000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.2eb1188.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4173246.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6aa0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e2e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68d0000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6aa0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.2ea4f40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af4c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6b30000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a80000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3faba4d.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ae0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.416a417.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ab0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a70000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a70000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e381d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4181676.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3f9f819.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68e0000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e29930.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4173246.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6afe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.2f39658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.68e0000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e29930.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.2ea4f40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a50000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.416a417.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ac0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ae0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ab0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a80000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.4181676.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6ac0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.2835ae0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6a90000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.54a0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.2eb1188.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 11.2.RegAsm.exe.6af0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 14.2.bhjhjkek.exe.2eb0238.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.2e79fc4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.3394278.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: bhjhjkek.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/10@0/1
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\bhjhjkek.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba5f434c-3370-4fb7-bec8-4c7f593d07f3}
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: DHL#DOCUMENTS001010.PDF.exeVirustotal: Detection: 44%
              Source: DHL#DOCUMENTS001010.PDF.exeMetadefender: Detection: 22%
              Source: DHL#DOCUMENTS001010.PDF.exeReversingLabs: Detection: 31%
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile read: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe 'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe'
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: unknownProcess created: C:\Users\user\AppData\Local\bhjhjkek.exe 'C:\Users\user\AppData\Local\bhjhjkek.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\bhjhjkek.exe 'C:\Users\user\AppData\Local\bhjhjkek.exe'
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: DHL#DOCUMENTS001010.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: RegAsm.pdb4 source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000003.764056703.00000000013F6000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.919538476.00000000009A2000.00000002.00020000.sdmp, RegAsm.exe, 00000013.00000000.902750258.0000000000B52000.00000002.00020000.sdmp, RegAsm.exe.0.dr
              Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: DHL#DOCUMENTS001010.PDF.exe, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: bhjhjkek.exe.0.dr, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 14.2.bhjhjkek.exe.7c0000.0.unpack, luMfCep0DFU7UEPN2W/HgKAT37MHI0lvjZpI3.cs.Net Code: tZfa2g0MM System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: DHL#DOCUMENTS001010.PDF.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.644449963.0000000000CA2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.782814633.00000000007C2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.919434619.0000000000292000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.766443926.0000000000CA2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.801027556.0000000000292000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Local\bhjhjkek.exe, type: DROPPED
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.7c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.bhjhjkek.exe.7c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.bhjhjkek.exe.290000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.DHL#DOCUMENTS001010.PDF.exe.ca0000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_00CA2AB4 push ss; iretd
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_016959D6 push edx; ret
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D44D3 push D0058366h; ret
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_057D1AB8 push cs; ret
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeCode function: 0_2_05854874 push B8FFFFCBh; ret
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A4289 push es; retf
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A4469 push cs; retf
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_009A44A3 push es; retf
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_007C2AB4 push ss; iretd
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_02B959D6 push edx; ret
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_052F1AA8 push ds; ret
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 14_2_05394874 push B8FFFFCBh; ret
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00292AB4 push ss; iretd
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_00C959D6 push edx; ret
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D0508E push edi; ret
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeCode function: 17_2_04D04874 push B8FFFFCBh; ret
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B544A3 push es; retf
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B54469 push cs; retf
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 19_2_00B54289 push es; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.98213921813
              Source: initial sampleStatic PE information: section name: .text entropy: 7.98213921813
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.0.RegAsm.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: 11.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeFile created: C:\Users\user\AppData\Local\bhjhjkek.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkekJump to behavior
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkekJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)Show sources
              Source: Possible double extension: pdf.exeStatic PE information: DHL#DOCUMENTS001010.PDF.exe
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, bhjhjkek.exe, 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 3389
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 6294
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 360
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe TID: 6996Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5688Thread sleep time: -16602069666338586s >= -30000s
              Source: C:\Users\user\AppData\Local\bhjhjkek.exe TID: 1004Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeThread delayed: delay time: 922337203685477
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: bhjhjkek.exe, 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: BB5008
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: CD2008
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
              Source: RegAsm.exe, 0000000B.00000002.922298301.0000000003067000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: RegAsm.exe, 0000000B.00000002.927832507.0000000006A4B000.00000004.00000001.sdmpBinary or memory string: Program ManagerA
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegAsm.exe, 0000000B.00000002.927426356.000000000640E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
              Source: RegAsm.exe, 0000000B.00000002.927295635.000000000617C000.00000004.00000001.sdmpBinary or memory string: Program Manager (
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpBinary or memory string: Program Managerx
              Source: RegAsm.exe, 0000000B.00000002.921652035.00000000014E0000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.921219831.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpBinary or memory string: Program Manager@2
              Source: RegAsm.exe, 0000000B.00000002.928756312.000000000717E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
              Source: RegAsm.exe, 0000000B.00000002.927366416.00000000062CC000.00000004.00000001.sdmpBinary or memory string: Program Managerram ManagerA
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeQueries volume information: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeQueries volume information: C:\Users\user\AppData\Local\bhjhjkek.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\bhjhjkek.exeQueries volume information: C:\Users\user\AppData\Local\bhjhjkek.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected Nanocore RatShow sources
              Source: DHL#DOCUMENTS001010.PDF.exe, 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
              Source: RegAsm.exe, 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
              Source: bhjhjkek.exe, 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: bhjhjkek.exe, 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: RegAsm.exe, 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: DHL#DOCUMENTS001010.PDF.exe PID: 6964, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7020, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 6868, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bhjhjkek.exe PID: 5456, type: MEMORY
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f2458d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd0000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.40089e8.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3fb89c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e88a30.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3e8af78.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.374af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38789c8.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1ff64.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.5dd4629.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.bhjhjkek.exe.3f909a8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3e8d059.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.424af78.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43c89e8.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.DHL#DOCUMENTS001010.PDF.exe.43509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.bhjhjkek.exe.38509a8.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.RegAsm.exe.3f1b12e.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3faba4d.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3f9f819.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.RegAsm.exe.3fc007a.10.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection312Masquerading11Input Capture21Security Software Discovery211Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information13Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL#DOCUMENTS001010.PDF.exe44%VirustotalBrowse
              DHL#DOCUMENTS001010.PDF.exe31%MetadefenderBrowse
              DHL#DOCUMENTS001010.PDF.exe32%ReversingLabsByteCode-MSIL.Downloader.Seraph
              DHL#DOCUMENTS001010.PDF.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\bhjhjkek.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
              C:\Users\user\AppData\Local\bhjhjkek.exe44%VirustotalBrowse
              C:\Users\user\AppData\Local\bhjhjkek.exe31%MetadefenderBrowse
              C:\Users\user\AppData\Local\bhjhjkek.exe32%ReversingLabsByteCode-MSIL.Downloader.Seraph

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              11.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              19.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.2.RegAsm.exe.5dd0000.19.unpack100%AviraTR/NanoCore.fadteDownload File
              19.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              11.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              19.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              startedhere.ddns.net9%VirustotalBrowse
              startedhere.ddns.net0%Avira URL Cloudsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              23.105.131.1425%VirustotalBrowse
              23.105.131.1420%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              startedhere.ddns.nettrue
              • 9%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              23.105.131.142true
              • 5%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crl.thawte.com/ThawteTimestampingCA.crl0DHL#DOCUMENTS001010.PDF.exefalse
                		high
                http://ocsp.thawte.com0DHL#DOCUMENTS001010.PDF.exefalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                23.105.131.142
                		unknownUnited States
                		396362LEASEWEB-USA-NYC-11UStrue

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:431780
                Start date:09.06.2021
                Start time:09:52:20
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 11m 31s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:DHL#DOCUMENTS001010.PDF.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@7/10@0/1
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 0.6% (good quality ratio 0.4%)
                • Quality average: 34.9%
                • Quality standard deviation: 31.4%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                • TCP Packets have been reduced to 100
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:54:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkek "C:\Users\user\AppData\Local\bhjhjkek.exe"
                09:54:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bhjhjkek "C:\Users\user\AppData\Local\bhjhjkek.exe"

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                23.105.131.142RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                  RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                      QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                        ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                          RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                            RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                              AWBSHIPMENT20210000900.PDF.exeGet hashmaliciousBrowse
                                Order#PPO040963RG02.PDF.exeGet hashmaliciousBrowse
                                  iOI0kJwm97.exeGet hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    LEASEWEB-USA-NYC-11US2lt24JqVH4.exeGet hashmaliciousBrowse
                                    • 23.105.131.207
                                    RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    XVIdVNjoHl.exeGet hashmaliciousBrowse
                                    • 23.105.131.173
                                    cKWxEAbeX7.exeGet hashmaliciousBrowse
                                    • 23.105.131.251
                                    apWkH5Vq75.exeGet hashmaliciousBrowse
                                    • 23.105.131.141
                                    RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Purchase Order.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    Scanned Documents.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    9849858 PO.exeGet hashmaliciousBrowse
                                    • 23.105.131.166
                                    Yeni sipari_ WJO-001, pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    061195d6_by_Libranalysis.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    ORDER QUOTE CBM787563788265542,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    PO ____-34002174,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.141
                                    RECHNUNGSKAUF Bestellung-46509008.pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\RegAsm.exekyIfnzzg3E.exeGet hashmaliciousBrowse
                                      flyZab7hHk.exeGet hashmaliciousBrowse
                                        AedJpyQ9lM.exeGet hashmaliciousBrowse
                                          UPDATED SOA.exeGet hashmaliciousBrowse
                                            qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                              RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                                Receiptn.exeGet hashmaliciousBrowse
                                                  PURCHASE LIST.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Trojan.PackedNET.783.10804.exeGet hashmaliciousBrowse
                                                      Y6k2VgaGck.exeGet hashmaliciousBrowse
                                                        Bank swift.exeGet hashmaliciousBrowse
                                                          tT1XWdxOYv.exeGet hashmaliciousBrowse
                                                            363IN050790620 BOOKING.exeGet hashmaliciousBrowse
                                                              New Order.exeGet hashmaliciousBrowse
                                                                RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                                                  DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                                                    QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                                                      1p037oXV3S.exeGet hashmaliciousBrowse
                                                                        BaU9m8mMFx.exeGet hashmaliciousBrowse
                                                                          yl77tM4JDg.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL#DOCUMENTS001010.PDF.exe.log
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bhjhjkek.exe.log
                                                                            Process:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64616
                                                                            Entropy (8bit):6.037264560032456
                                                                            Encrypted:false
                                                                            SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                            MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                            SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                            SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                            SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: kyIfnzzg3E.exe, Detection: malicious, Browse
                                                                            • Filename: flyZab7hHk.exe, Detection: malicious, Browse
                                                                            • Filename: AedJpyQ9lM.exe, Detection: malicious, Browse
                                                                            • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                            • Filename: qdFDmi3Bhy.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ27559404D4E5A.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: Receiptn.exe, Detection: malicious, Browse
                                                                            • Filename: PURCHASE LIST.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Trojan.PackedNET.783.10804.exe, Detection: malicious, Browse
                                                                            • Filename: Y6k2VgaGck.exe, Detection: malicious, Browse
                                                                            • Filename: Bank swift.exe, Detection: malicious, Browse
                                                                            • Filename: tT1XWdxOYv.exe, Detection: malicious, Browse
                                                                            • Filename: 363IN050790620 BOOKING.exe, Detection: malicious, Browse
                                                                            • Filename: New Order.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ#21040590409448.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: DHL#DOCUMENTS02010910.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: QOUTATION#2300003590.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: 1p037oXV3S.exe, Detection: malicious, Browse
                                                                            • Filename: BaU9m8mMFx.exe, Detection: malicious, Browse
                                                                            • Filename: yl77tM4JDg.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                            C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):607704
                                                                            Entropy (8bit):6.749029364545613
                                                                            Encrypted:false
                                                                            SSDEEP:12288:v3SBz/P5DgjDjNGPZk3Zg1Ke0lC8+lEvKlJfF05Ibmu9EgeIKxAtWO:v3IzJDgjDjNU2Jg1t0lCb3
                                                                            MD5:B7FECE0A9529306A2644CE102FE2D86A
                                                                            SHA1:767FCF70A98DD70D9035DFE4FCCA04E17CDEBFDE
                                                                            SHA-256:F9284667090735ECCB6110C4C9E33122890570B6F10798EF57370740C4D9DB6D
                                                                            SHA-512:04092525491ADD6E159FDD19E720CD0D38CFB4FA037907B1D08AAFF9AA3833A2F0387A1169026831C0F2FE388DBE2C6C0B47EE5814CE6C64680F27A3849D1099
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\bhjhjkek.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Virustotal, Detection: 44%, Browse
                                                                            • Antivirus: Metadefender, Detection: 31%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 32%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.....................p........... ........@.. ....................................@.................................p...K.......tl...........*.......`....................................................... ............... ..H............text....... ...................... ..`.rsrc...tl.......n..................@..@.reloc.......`.......(..............@..B........................H.......87..X.......'....e...q............................................9.....:....8....(....8....(....8....*..*..j...:....&(....8....&8....*..*..j...:....&(....8....&8....*..*...*..j...:....&(....8....&8....*..*...*...*...*...*...0..z.......s.....:P...&s.....:N...&s.....:L...&s.........~....r...pr...po....~....rO..pra..po....8.........8.........8.........8....*......:....&:....8....&8....r...p*...:....&o....8....&8....*...0..........(....o.....:....&..:....&8f....8.....8..
                                                                            C:\Users\user\AppData\Local\bhjhjkek.exe:Zone.Identifier
                                                                            Process:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):232
                                                                            Entropy (8bit):7.024371743172393
                                                                            Encrypted:false
                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:ISO-8859 text, with no line terminators, with escape sequences
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):3.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:uh:2
                                                                            MD5:290BBB2342B623C21C98E5B0AFF6126A
                                                                            SHA1:DFFF467E660EB007454A2E677B3C81D60296A296
                                                                            SHA-256:5BC0B7B765A4BA88635ED78FB9EF64DA054F77B354F5B6A0C9370AF18EF83694
                                                                            SHA-512:652B1A33D06529AAF40A063D737039799562D58BBFEB9AAA0744605A11DAC2FEC3598232BFC890A34785D1CC7AA1E27704DA5A27935A82E6FAD2FA804F803DFC
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview: .e=..+.H
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):24
                                                                            Entropy (8bit):4.501629167387823
                                                                            Encrypted:false
                                                                            SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                            MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                            SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                            SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                            SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                            Malicious:false
                                                                            Preview: 9iH...}Z.4..f..J".C;"a
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):5.320159765557392
                                                                            Encrypted:false
                                                                            SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                            MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                            SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                            SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                            SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                            Malicious:false
                                                                            Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):327432
                                                                            Entropy (8bit):7.99938831605763
                                                                            Encrypted:true
                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                            Malicious:false
                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):6.749029364545613
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:DHL#DOCUMENTS001010.PDF.exe
                                                                            File size:607704
                                                                            MD5:b7fece0a9529306a2644ce102fe2d86a
                                                                            SHA1:767fcf70a98dd70d9035dfe4fcca04e17cdebfde
                                                                            SHA256:f9284667090735eccb6110c4c9e33122890570b6f10798ef57370740c4d9db6d
                                                                            SHA512:04092525491add6e159fdd19e720cd0d38cfb4fa037907b1d08aaff9aa3833a2f0387a1169026831c0f2fe388dbe2c6c0b47ee5814ce6c64680f27a3849d1099
                                                                            SSDEEP:12288:v3SBz/P5DgjDjNGPZk3Zg1Ke0lC8+lEvKlJfF05Ibmu9EgeIKxAtWO:v3IzJDgjDjNU2Jg1t0lCb3
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................p........... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:74f2dbb284c2e2ee

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x44d7be
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x60BFE88A [Tue Jun 8 22:00:42 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Authenticode Signature

                                                                            Signature Valid:false
                                                                            Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                            Error Number:-2146869232
                                                                            Not Before, Not After
                                                                            • 8/25/2016 2:00:00 AM 10/9/2019 2:00:00 PM
                                                                            Subject Chain
                                                                            • CN="OpenVPN Technologies, Inc.", O="OpenVPN Technologies, Inc.", L=Pleasanton, S=California, C=US
                                                                            Version:3
                                                                            Thumbprint MD5:6146F700D6452042DC954108EBA73447
                                                                            Thumbprint SHA-1:21F94C255A8B20D21A323CA5ACB8EBF284E09037
                                                                            Thumbprint SHA-256:BAA11FF9D7FEDEC30BC343F6F0E85B3256EA8155573E862B17C15DCB2596C678
                                                                            Serial:03E49B29AE75DF4C50DC1662670776B9

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4d7700x4b.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x46c74.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x92a000x1bd8.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x4b7c40x4b800False0.979075046565data7.98213921813IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x4e0000x46c740x46e00False0.197964891975data4.61492882254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x960000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x4e1f00x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0x902180x25a8data
                                                                            RT_ICON0x927c00x10a8data
                                                                            RT_ICON0x938680x988data
                                                                            RT_ICON0x941f00x468GLS_BINARY_LSB_FIRST
                                                                            RT_GROUP_ICON0x946580x4cdata
                                                                            RT_VERSION0x946a40x3cadata
                                                                            RT_MANIFEST0x94a700x204XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                                                            Assembly Version5.49.7.0
                                                                            InternalNameaajfkfkf.exe
                                                                            FileVersion5.49.7.0
                                                                            CompanyNamesandboxie-plus.com
                                                                            LegalTrademarks
                                                                            CommentsSandboxie Installer
                                                                            ProductNameSandboxie
                                                                            ProductVersion5.49.7.0
                                                                            FileDescriptionSandboxie Installer
                                                                            OriginalFilenameaajfkfkf.exe

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            06/09/21-09:54:09.372256TCP2025019ET TROJAN Possible NanoCore C2 60B497652092192.168.2.423.105.131.142

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jun 9, 2021 09:54:08.782638073 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.211910009 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:09.215245008 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.372256041 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:09.727755070 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:09.745654106 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.092402935 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.092494011 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.463592052 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.463695049 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.855688095 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864427090 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864485025 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.864582062 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.865509987 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.865871906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.865947008 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.866056919 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.866791010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.866902113 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.867202044 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.867774010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.867863894 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:10.868021011 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.869138002 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:10.869234085 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.205307961 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.205905914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.206022978 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.206166983 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207259893 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207340956 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.207451105 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207829952 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.207967043 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.209439039 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.209494114 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.209574938 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.210508108 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.214895010 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.215133905 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.215157032 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.215893984 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.216005087 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.216089964 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.217145920 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.217256069 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.218518019 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227308035 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227349997 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227386951 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227425098 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.227474928 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.227515936 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.227559090 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.228423119 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.544219971 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.544275999 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.544454098 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.545114994 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.545875072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.546020985 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.547298908 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564239979 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564296007 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564342022 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564389944 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564414024 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564467907 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564555883 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564636946 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.564660072 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564855099 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564933062 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.564990997 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565083981 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565152884 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565179110 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565304041 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565365076 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565444946 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565490007 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565562963 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565660000 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565759897 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565797091 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.565844059 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.565994024 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566052914 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566066027 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.566122055 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566277981 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566389084 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.566610098 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.566675901 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.567238092 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.567416906 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.567734957 CEST497652092192.168.2.423.105.131.142
                                                                            Jun 9, 2021 09:54:11.567800045 CEST20924976523.105.131.142192.168.2.4
                                                                            Jun 9, 2021 09:54:11.568083048 CEST20924976523.105.131.142192.168.2.4

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: DHL#DOCUMENTS001010.PDF.exe PID: 6964 Parent PID: 6008

                                                                            General

                                                                            Start time:09:53:09
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\DHL#DOCUMENTS001010.PDF.exe'
                                                                            Imagebase:0xca0000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.767317369.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.644449963.0000000000CA2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768500563.000000000424A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768627185.0000000004329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.766443926.0000000000CA2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.767390433.0000000003140000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.768765358.00000000043C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: RegAsm.exe PID: 7020 Parent PID: 6964

                                                                            General

                                                                            Start time:09:54:05
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
                                                                            Imagebase:0x9a0000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.919456791.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928006695.0000000006AA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.927086659.0000000005DD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927717545.00000000068D0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927972563.0000000006A90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928481566.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927934540.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.923206884.0000000003E7F000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928049608.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.921992403.0000000002E21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.765891937.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927902201.0000000006A70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.923629464.000000000410E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928268197.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928208155.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927748989.00000000068E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.765519849.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.926591236.00000000054A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.927857463.0000000006A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.928087795.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.923284531.0000000003EF0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:high

                                                                            Analysis Process: bhjhjkek.exe PID: 6868 Parent PID: 3424

                                                                            General

                                                                            Start time:09:54:13
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\bhjhjkek.exe'
                                                                            Imagebase:0x7c0000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.910382533.00000000007C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.913423269.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000000.782814633.00000000007C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.916788361.0000000003E8A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.917015051.0000000003F69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.917166768.0000000004008000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.914492634.0000000002E66000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\bhjhjkek.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 44%, Virustotal, Browse
                                                                            • Detection: 31%, Metadefender, Browse
                                                                            • Detection: 32%, ReversingLabs
                                                                            Reputation:low

                                                                            Analysis Process: bhjhjkek.exe PID: 5456 Parent PID: 3424

                                                                            General

                                                                            Start time:09:54:22
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\bhjhjkek.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\bhjhjkek.exe'
                                                                            Imagebase:0x290000
                                                                            File size:607704 bytes
                                                                            MD5 hash:B7FECE0A9529306A2644CE102FE2D86A
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923323005.00000000038C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923195254.0000000003829000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.919434619.0000000000292000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.922180168.00000000027EC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000000.801027556.0000000000292000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.921745591.00000000025F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.923041905.000000000374A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            Analysis Process: RegAsm.exe PID: 5868 Parent PID: 6868

                                                                            General

                                                                            Start time:09:55:09
                                                                            Start date:09/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe hjhjkfk
                                                                            Imagebase:0xb50000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.921730326.0000000003ED9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.902721900.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000000.903322514.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.921433877.0000000002ED1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.919456275.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >