Loading ...

Play interactive tourEdit tour

Analysis Report 20014464370.PDF.exe

Overview

General Information

Sample Name:20014464370.PDF.exe
Analysis ID:432418
MD5:cac542cd84be91ea0acfb9cd1964397d
SHA1:339d543a12e1f849bfe14a71c4a05106380548ab
SHA256:49c28c9ab46c71450929ffc850dc411cf24f125659cc253f0ee5fb16a59e3f7f
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 20014464370.PDF.exe (PID: 5480 cmdline: 'C:\Users\user\Desktop\20014464370.PDF.exe' MD5: CAC542CD84BE91EA0ACFB9CD1964397D)
    • RegAsm.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • AAAstarupxxzzzgb.exe (PID: 3604 cmdline: 'C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe' MD5: C7330A70647D84A218BBE2E6D245DCE3)
  • lkjhgfs.exe (PID: 1848 cmdline: 'C:\Users\user\AppData\Local\lkjhgfs.exe' MD5: CAC542CD84BE91EA0ACFB9CD1964397D)
    • RegAsm.exe (PID: 964 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • lkjhgfs.exe (PID: 5188 cmdline: 'C:\Users\user\AppData\Local\lkjhgfs.exe' MD5: CAC542CD84BE91EA0ACFB9CD1964397D)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
20014464370.PDF.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      C:\Users\user\AppData\Local\lkjhgfs.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x16e3:$x1: NanoCore.ClientPluginHost
        • 0x171c:$x2: IClientNetworkHost
        0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x16e3:$x2: NanoCore.ClientPluginHost
        • 0x1800:$s4: PipeCreated
        • 0x16fd:$s5: IClientLoggingHost
        0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x350b:$x1: NanoCore.ClientPluginHost
        • 0x3525:$x2: IClientNetworkHost
        0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x350b:$x2: NanoCore.ClientPluginHost
        • 0x52b6:$s4: PipeCreated
        • 0x34f8:$s5: IClientLoggingHost
        00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 121 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        12.2.RegAsm.exe.6560000.35.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x350b:$x1: NanoCore.ClientPluginHost
        • 0x3525:$x2: IClientNetworkHost
        12.2.RegAsm.exe.6560000.35.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x350b:$x2: NanoCore.ClientPluginHost
        • 0x52b6:$s4: PipeCreated
        • 0x34f8:$s5: IClientLoggingHost
        12.2.RegAsm.exe.4f80000.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        12.2.RegAsm.exe.4f80000.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        12.2.RegAsm.exe.4f80000.22.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 267 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh, CommandLine|base64offset|contains: +!, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\20014464370.PDF.exe' , ParentImage: C:\Users\user\Desktop\20014464370.PDF.exe, ParentProcessId: 5480, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh, ProcessId: 5612

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 5612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ba5f434c-3370-4fb7-bec8-4c7f593d", "Group": "Grace", "Domain1": "23.105.131.142", "Domain2": "startedhere.ddns.net", "Port": 2092, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: startedhere.ddns.netVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeReversingLabs: Detection: 14%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 20014464370.PDF.exeVirustotal: Detection: 28%Perma Link
          Source: 20014464370.PDF.exeReversingLabs: Detection: 14%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPE
          Source: 12.2.RegAsm.exe.4f80000.22.unpackAvira: Label: TR/NanoCore.fadte
          Source: 23.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 23.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 23.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 12.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 12.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 12.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20014464370.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 20014464370.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.1.dr
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000C.00000002.493736550.0000000000442000.00000002.00020000.sdmp, RegAsm.exe, 00000017.00000002.493683200.0000000000A42000.00000002.00020000.sdmp, RegAsm.exe.1.dr
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then jmp 0311BC71h
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then jmp 05AD5DA4h
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 4x nop then jmp 05AD5DA4h
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then jmp 0505BC71h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then jmp 0291BC71h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 23.105.131.142:2092
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: startedhere.ddns.net
          Source: Malware configuration extractorURLs: 23.105.131.142
          Source: global trafficTCP traffic: 192.168.2.5:49730 -> 23.105.131.142:2092
          Source: Joe Sandbox ViewIP Address: 23.105.131.142 23.105.131.142
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.142
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
          Source: 20014464370.PDF.exeString found in binary or memory: http://crl.globalsign.net/root.crl0
          Source: RegAsm.exe, 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: 20014464370.PDF.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
          Source: 20014464370.PDF.exeString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
          Source: 20014464370.PDF.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: 20014464370.PDF.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
          Source: 20014464370.PDF.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
          Source: 20014464370.PDF.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
          Source: lkjhgfs.exe, AAAstarupxxzzzgb.exe, 20014464370.PDF.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
          Source: RegAsm.exe, 0000000C.00000002.509338103.0000000006C1C000.00000004.00000001.sdmp, AAAstarupxxzzzgb.exe.12.drString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
          Source: 20014464370.PDF.exeString found in binary or memory: https://www.globalsign.com/repository/0
          Source: 20014464370.PDF.exeString found in binary or memory: https://www.globalsign.com/repository/03
          Source: 20014464370.PDF.exeString found in binary or memory: https://www.globalsign.com/repository/06
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: RegAsm.exe, 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.508342634.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.508356430.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508978041.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.508467673.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508108370.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.509043380.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508990820.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508451814.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.508629806.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.509088108.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000C.00000002.504504197.0000000004244000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.6560000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42a943e.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.65b0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.6570000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.2ca980c.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.2ca980c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.65b0000.39.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.27b4d94.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6530000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.40b9625.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.5200000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.5220000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42b786e.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.27c0fdc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.5250000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.5240000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.4f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.42a943e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.40ad3f1.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6540000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.27b4d94.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.27b4d94.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.5200000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 23.2.RegAsm.exe.2e09670.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6520000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6560000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42b786e.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6540000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.51f0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.6570000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.5250000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.6520000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.51f0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42a060f.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42a060f.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.42a060f.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.6574c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.6530000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.27c0fdc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.27c0fdc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.2c7570c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.657e8a4.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.2c7570c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.5c10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.5240000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.lkjhgfs.exe.2c7570c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.lkjhgfs.exe.2c7570c.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 12.2.RegAsm.exe.275cabc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 15.2.lkjhgfs.exe.2ca980c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 15.2.lkjhgfs.exe.2ca980c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: 20014464370.PDF.exe
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_015F3338
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_015F3328
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_0311BDF8
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_03111973
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_03111980
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD5630
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD7430
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD0006
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD0040
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD7390
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD73EB
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD4F09
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD4F18
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_05AD5621
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_00443DFE
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_065C1800
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_065B46D3
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_065C36F0
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_065B42EB
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_065B3324
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_04C1E480
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_04C1E471
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_04C1BBD4
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C0E770
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C071D8
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C08048
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C0F388
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C0F446
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C08106
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C08928
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_06AA0F70
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_011F3338
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_011F3328
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_011F37E8
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_0505BDF8
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05051972
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05051980
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05335630
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05330006
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05330040
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05337320
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05334F18
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05334F09
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05334BCA
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05335621
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05337280
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_01033328
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_01033338
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_0291BDF8
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_02911980
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_02911972
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A5630
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A0006
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A0040
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A731B
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A4F18
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A4F17
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A7320
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_050A562F
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_00A43DFE
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_0530F5F8
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_05309788
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_0530A580
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_0530A5D0
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_05593E30
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_05594A50
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_05594B08
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
          Source: 20014464370.PDF.exeStatic PE information: invalid certificate
          Source: 20014464370.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lkjhgfs.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AAAstarupxxzzzgb.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AAAstarupxxzzzgb.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 20014464370.PDF.exe, 00000001.00000002.341134518.0000000000E98000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaanjkcxzs.exe@ vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWzyjcirkq.dll" vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.345363634.00000000058A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.345151540.00000000057D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.341830594.0000000003140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exe, 00000001.00000002.341818310.0000000003120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 20014464370.PDF.exe
          Source: 20014464370.PDF.exeBinary or memory string: OriginalFilenameaanjkcxzs.exe@ vs 20014464370.PDF.exe
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dll
          Source: 20014464370.PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.508342634.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508342634.00000000051F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.508356430.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508356430.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508978041.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508978041.0000000006530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.508467673.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508467673.0000000005250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508108370.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508108370.0000000004F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.509043380.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.509043380.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508990820.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508990820.0000000006540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508451814.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508451814.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.508629806.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.508629806.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.509088108.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000C.00000002.509088108.00000000065B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000C.00000002.504504197.0000000004244000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.6560000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6560000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42a943e.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42a943e.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.65b0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.65b0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.6570000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6570000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.2ca980c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.2ca980c.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.2ca980c.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.65b0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.65b0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.27b4d94.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.27b4d94.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6530000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6530000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.40b9625.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.40b9625.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.5200000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5200000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.5220000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5220000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42b786e.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42b786e.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.27c0fdc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.27c0fdc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.5250000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5250000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.5240000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5240000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.4f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.4f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.42a943e.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42a943e.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.40ad3f1.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.40ad3f1.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6540000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6540000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.27b4d94.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.27b4d94.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.5200000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5200000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 23.2.RegAsm.exe.2e09670.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.2e09670.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6520000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6520000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6560000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6560000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42b786e.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42b786e.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6540000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6540000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.51f0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.51f0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.6570000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6570000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.5250000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5250000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.6520000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6520000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.51f0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.51f0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42a060f.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42a060f.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42a060f.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.42a060f.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.42a060f.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.6574c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6574c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.6530000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.6530000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.27c0fdc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.27c0fdc.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.2c7570c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.657e8a4.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.657e8a4.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.2c7570c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.2c7570c.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.5c10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5c10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 12.2.RegAsm.exe.5240000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.5240000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.lkjhgfs.exe.2c7570c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.lkjhgfs.exe.2c7570c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.lkjhgfs.exe.2c7570c.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 12.2.RegAsm.exe.275cabc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 15.2.lkjhgfs.exe.2ca980c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 15.2.lkjhgfs.exe.2ca980c.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 20014464370.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: lkjhgfs.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: AAAstarupxxzzzgb.exe.12.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/10@0/1
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile created: C:\Users\user\AppData\Local\lkjhgfs.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba5f434c-3370-4fb7-bec8-4c7f593d07f3}
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
          Source: 20014464370.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\20014464370.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\20014464370.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: 20014464370.PDF.exeVirustotal: Detection: 28%
          Source: 20014464370.PDF.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile read: C:\Users\user\Desktop\20014464370.PDF.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\20014464370.PDF.exe 'C:\Users\user\Desktop\20014464370.PDF.exe'
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: unknownProcess created: C:\Users\user\AppData\Local\lkjhgfs.exe 'C:\Users\user\AppData\Local\lkjhgfs.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\lkjhgfs.exe 'C:\Users\user\AppData\Local\lkjhgfs.exe'
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe 'C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe'
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe 'C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe'
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 20014464370.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 20014464370.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.1.dr
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000C.00000002.493736550.0000000000442000.00000002.00020000.sdmp, RegAsm.exe, 00000017.00000002.493683200.0000000000A42000.00000002.00020000.sdmp, RegAsm.exe.1.dr
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 20014464370.PDF.exe, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: lkjhgfs.exe.1.dr, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.20014464370.PDF.exe.e10000.0.unpack, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.20014464370.PDF.exe.e10000.0.unpack, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 15.2.lkjhgfs.exe.7b0000.0.unpack, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 15.0.lkjhgfs.exe.7b0000.0.unpack, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 17.2.lkjhgfs.exe.540000.0.unpack, Nakdaea.Messages/Class.cs.Net Code: ConnectClass System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Yara detected Costura Assembly LoaderShow sources
          Source: Yara matchFile source: 20014464370.PDF.exe, type: SAMPLE
          Source: Yara matchFile source: 00000011.00000000.377243556.0000000000542000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.359197318.00000000007B2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.493302996.0000000000542000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.497639798.0000000002441000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.493379288.0000000000052000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.218918618.0000000000E12000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.485697797.00000000007B2000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000000.453300542.0000000000052000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.509338103.0000000006C1C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341051840.0000000000E12000.00000002.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AAAstarupxxzzzgb.exe PID: 3604, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe, type: DROPPED
          Source: Yara matchFile source: C:\Users\user\AppData\Local\lkjhgfs.exe, type: DROPPED
          Source: Yara matchFile source: 22.0.AAAstarupxxzzzgb.exe.50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.6cd305a.42.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.AAAstarupxxzzzgb.exe.50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.7b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.6cd305a.42.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.lkjhgfs.exe.7b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.20014464370.PDF.exe.e10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.e10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.6d5a9f0.41.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.6d5a9f0.41.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.540000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.lkjhgfs.exe.540000.0.unpack, type: UNPACKEDPE
          Source: AAAstarupxxzzzgb.exe.12.drStatic PE information: 0xED5163A4 [Fri Mar 2 13:41:56 2096 UTC]
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_00E13CD5 push esp; iretd
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_00E138DA push esp; iretd
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_03114D40 pushad ; iretd
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_03114D46 push ecx; iretd
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_031161EC push eax; iretd
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_00444289 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_004444A3 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_00444469 push cs; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_04C1E349 pushad ; ret
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_04C169B0 pushfd ; retn 0004h
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 12_2_05C0ADED push 8B000005h; retf
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_007B38DA push esp; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_007B3CD5 push esp; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05054D46 push ecx; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05054D40 pushad ; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_050561EC push eax; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 15_2_05338528 push esp; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_00543CD5 push esp; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_005438DA push esp; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_029161EC push eax; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_02914D40 pushad ; iretd
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeCode function: 17_2_02914D46 push ecx; iretd
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_00A444A3 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_00A44469 push cs; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_00A44289 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_053069F8 pushad ; retf
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 23_2_053069FA push esp; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.98698784379
          Source: initial sampleStatic PE information: section name: .text entropy: 7.98698784379
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99215035328
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 12.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 12.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 12.0.RegAsm.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeJump to dropped file
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
          Source: C:\Users\user\Desktop\20014464370.PDF.exeFile created: C:\Users\user\AppData\Local\lkjhgfs.exeJump to dropped file
          Source: C:\Users\user\Desktop\20014464370.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lkjhgfsJump to behavior
          Source: C:\Users\user\Desktop\20014464370.PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run lkjhgfsJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: pdf.exeStatic PE information: 20014464370.PDF.exe
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 20014464370.PDF.exe, 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeFile opened / queried: C:\Users\user\AppData\Local\lkjhgfs.exe
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeFile opened / queried: C:\Users\user\AppData\Local\lkjhgfs.exe.config
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeFile opened / queried: C:\Users\user\AppData\Local\lkjhgfs.INI
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\20014464370.PDF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 5379
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 4241
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 356
          Source: C:\Users\user\Desktop\20014464370.PDF.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 1260Thread sleep time: -16602069666338586s >= -30000s
          Source: C:\Users\user\AppData\Local\lkjhgfs.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\20014464370.PDF.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeThread delayed: delay time: 922337203685477
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\C:\Users\user\AppData\Local\lkjhgfs.exe"C:\Users\user\AppData\Local\lkjhgfs.exe" C:\Users\user\AppData\Local\lkjhgfs.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=computerUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsH
          Source: lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
          Source: lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeFraxk
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_lkjhgfs.exe_1848.txt
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log$
          Source: RegAsm.exe, 0000000C.00000003.491770555.0000000006299000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe@
          Source: lkjhgfs.exe, 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpBinary or memory string: l)C:\Users\user\AppData\Local\lkjhgfs.exex
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exeP
          Source: lkjhgfs.exe, 0000000F.00000002.486485227.0000000000EE5000.00000004.00000020.sdmpBinary or memory string: \Users\user\AppData\Local\lkjhgfs.exeiJZl
          Source: lkjhgfs.exe, 00000011.00000002.497605970.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: lkjhgfs.exenDefi
          Source: RegAsm.exe, 0000000C.00000003.379211169.0000000005B1B000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe"
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: lkjhgfs.exeMrl.exe
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_lkjhgfs.exe_1848.txt G
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log(
          Source: lkjhgfs.exe, 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exe4
          Source: lkjhgfs.exe, 0000000F.00000002.485971051.0000000000C80000.00000004.00000040.sdmp, lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exe
          Source: RegAsm.exe, 0000000C.00000003.486917084.0000000005B46000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe0
          Source: 20014464370.PDF.exe, 00000001.00000002.345363634.00000000058A0000.00000002.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.492655545.00000000050F0000.00000002.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.505221998.0000000004F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Windows\Temp\AslLog_DetectorsTrace_lkjhgfs.exe_1848.txt
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exedlsk
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmp, lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: "C:\Users\user\AppData\Local\lkjhgfs.exe"
          Source: 20014464370.PDF.exe, 00000001.00000002.341926075.00000000031D0000.00000004.00000001.sdmpBinary or memory string: l)C:\Users\user\AppData\Local\lkjhgfs.exe
          Source: RegAsm.exe, 0000000C.00000003.402073587.00000000062F3000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe@"
          Source: lkjhgfs.exe, 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: l)C:\Users\user\AppData\Local\lkjhgfs.exe@p^
          Source: lkjhgfs.exe, 00000011.00000002.497605970.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeILE=xk
          Source: lkjhgfs.exe, 00000011.00000002.498096071.0000000000D58000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.
          Source: lkjhgfs.exe, 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exeH
          Source: lkjhgfs.exe, 0000000F.00000002.486434084.0000000000E9E000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exea
          Source: lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: lkjhgfs.exe, 0000000F.00000002.486434084.0000000000E9E000.00000004.00000020.sdmpBinary or memory string: file:///C:/Users/user/AppData/Local/lkjhgfs.exe
          Source: RegAsm.exe, 0000000C.00000003.427371081.00000000062F3000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe@
          Source: lkjhgfs.exe, 00000011.00000002.497605970.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: <add name="workflowRuntime" type="System.ServiceModel.Configuration.WorkflowRuntimeElement, System.WorkflC:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log/>
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exe.configd
          Source: lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
          Source: RegAsm.exe, 0000000C.00000003.451762132.00000000062F6000.00000004.00000001.sdmpBinary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: lkjhgfs.exe, 00000011.00000002.497309382.0000000000BB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\C:\Users\user\AppData\Local\lkjhgfs.exe"C:\Users\user\AppData\Local\lkjhgfs.exe" C:\Users\user\AppData\Local\lkjhgfs.exeWinsta0\Default
          Source: RegAsm.exe, 0000000C.00000003.482575979.000000000630E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:-
          Source: lkjhgfs.exe, 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: l0C:\Users\user\AppData\Local\lkjhgfs.exe.config<
          Source: 20014464370.PDF.exe, 00000001.00000002.341926075.00000000031D0000.00000004.00000001.sdmpBinary or memory string: l+"C:\Users\user\AppData\Local\lkjhgfs.exe"
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeNET
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: sers\user\AppData\Local\lkjhgfs.exe.config
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe #
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeZ
          Source: RegAsm.exe, 0000000C.00000003.469264007.0000000005B1B000.00000004.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.492975324.0000000005540000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exeP
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeX
          Source: 20014464370.PDF.exe, 00000001.00000002.345363634.00000000058A0000.00000002.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.492655545.00000000050F0000.00000002.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.505221998.0000000004F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: RegAsm.exe, 0000000C.00000003.369719228.0000000005B01000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exed
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exe.config{j
          Source: RegAsm.exe, 0000000C.00000003.451716416.000000000629A000.00000004.00000001.sdmp, lkjhgfs.exe, 0000000F.00000003.483683958.0000000000EF7000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.494838264.0000000000975000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exeh
          Source: 20014464370.PDF.exe, 00000001.00000002.345363634.00000000058A0000.00000002.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.492655545.00000000050F0000.00000002.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.505221998.0000000004F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: sers\user\AppData\Local\lkjhgfs.exe.config-msO
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe\
          Source: RegAsm.exe, 0000000C.00000003.411710139.00000000062ED000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe`
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: file:///C:/Users/user/AppData/Local/lkjhgfs.exevk
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: lkjhgfs.exeb
          Source: lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\C:\Users\user\AppData\Local\lkjhgfs.exe"C:\Users\user\AppData\Local\lkjhgfs.exe" C:\Users\user\AppData\Local\lkjhgfs.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=computerUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowssk
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: crosoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log
          Source: lkjhgfs.exe, 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpBinary or memory string: l)c:\users\user\appdata\local\lkjhgfs.exe
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmpBinary or memory string: C:\Windows\Temp\AslLog_shimengstate_lkjhgfs.exe_1848.txt(V
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: file:///C:/Users/user/AppData/Local/lkjhgfs.exe9
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: <SHIMENGSTATE PID="1848" FILENAME="C:\Users\user\AppData\Local\lkjhgfs.exe" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas.microsoft.com/appcompat/2010/03/shimengstate EngineState.xsd" xmlns="urn:schemas.microsoft.com/appcompat/2010/03/shimengstate">
          Source: lkjhgfs.exe, 0000000F.00000002.485861642.00000000009E5000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exex
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmp, lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: sers\user\AppData\Local\lkjhgfs.exeDATA=C:\Users\user\AppData\RoamingCommonP
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exeo
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: lkjhgfs.exen
          Source: lkjhgfs.exe, 00000011.00000002.498096071.0000000000D58000.00000004.00000001.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_lkjhgfs.exe_5188.txt
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exep
          Source: 20014464370.PDF.exe, 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmp, RegAsm.exe, 0000000C.00000003.451716416.000000000629A000.00000004.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmp, lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exe
          Source: lkjhgfs.exe, 00000011.00000002.494838264.0000000000975000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exe!
          Source: 20014464370.PDF.exe, 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmpBinary or memory string: l)C:\Users\user\AppData\Local\lkjhgfs.exe8^
          Source: 20014464370.PDF.exe, 00000001.00000002.341926075.00000000031D0000.00000004.00000001.sdmpBinary or memory string: lkjhgfs
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exep
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: SION_APPCFG_DOWNLOAD_ATTEMPTED__/lkjhgfs.exe.configT
          Source: lkjhgfs.exe, 00000011.00000002.497816109.0000000000D24000.00000004.00000020.sdmpBinary or memory string: a\Local\lkjhgfs.exe
          Source: RegAsm.exe, 0000000C.00000002.504987009.000000000453F000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exep#
          Source: lkjhgfs.exe, 00000011.00000002.497543143.0000000000CF0000.00000004.00000020.sdmpBinary or memory string: "C:\Users\user\AppData\Local\lkjhgfs.exe" |k
          Source: lkjhgfs.exe, 0000000F.00000002.493092915.000000000577F000.00000004.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.505527243.00000000054FF000.00000004.00000001.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log
          Source: lkjhgfs.exe, 0000000F.00000002.486371354.0000000000E60000.00000004.00000020.sdmpBinary or memory string: "C:\Users\user\AppData\Local\lkjhgfs.exe" G
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log
          Source: lkjhgfs.exe, 0000000F.00000002.486391031.0000000000E69000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\lkjhgfs.exewiB
          Source: lkjhgfs.exe, 0000000F.00000002.486448464.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.logB
          Source: 20014464370.PDF.exe, 00000001.00000002.345363634.00000000058A0000.00000002.00000001.sdmp, lkjhgfs.exe, 0000000F.00000002.492655545.00000000050F0000.00000002.00000001.sdmp, lkjhgfs.exe, 00000011.00000002.505221998.0000000004F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: lkjhgfs.exe, 0000000F.00000002.485986107.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Local\C:\Users\user\AppData\Local\lkjhgfs.exe"C:\Users\user\AppData\Local\lkjhgfs.exe" C:\Users\user\AppData\Local\lkjhgfs.exeWinsta0\Defaulthk
          Source: RegAsm.exe, 0000000C.00000003.419831061.0000000005B1B000.00000004.00000001.sdmpBinary or memory string: lkjhgfs.exel)
          Source: lkjhgfs.exe, 00000011.00000002.497605970.0000000000CFA000.00000004.00000020.sdmpBinary or memory string: C:\Windows\Microsoft.NET\Framework\v4.0.30319;C:\WindoC:\Users\user\AppData\Local\lkjhgfs.exe;C:\ck
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\20014464370.PDF.exeCode function: 1_2_015F2B20 LdrInitializeThunk,
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
          Source: C:\Users\user\Desktop\20014464370.PDF.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 69A008
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: CCE008
          Source: C:\Users\user\Desktop\20014464370.PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe 'C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe'
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
          Source: RegAsm.exe, 0000000C.00000002.501411238.0000000002BB6000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: RegAsm.exe, 0000000C.00000002.497785032.0000000000FC0000.00000002.00000001.sdmp, AAAstarupxxzzzgb.exe, 00000016.00000002.497120798.0000000000E40000.00000002.00000001.sdmp, RegAsm.exe, 00000017.00000002.498270397.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: RegAsm.exe, 0000000C.00000002.497785032.0000000000FC0000.00000002.00000001.sdmp, AAAstarupxxzzzgb.exe, 00000016.00000002.497120798.0000000000E40000.00000002.00000001.sdmp, RegAsm.exe, 00000017.00000002.498270397.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: RegAsm.exe, 0000000C.00000002.497785032.0000000000FC0000.00000002.00000001.sdmp, AAAstarupxxzzzgb.exe, 00000016.00000002.497120798.0000000000E40000.00000002.00000001.sdmp, RegAsm.exe, 00000017.00000002.498270397.00000000015E0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: RegAsm.exe, 0000000C.00000002.508952160.000000000651E000.00000004.00000001.sdmpBinary or memory string: Program Manager0
          Source: RegAsm.exe, 0000000C.00000002.502793642.0000000002CF8000.00000004.00000001.sdmpBinary or memory string: Program ManagerT?
          Source: RegAsm.exe, 0000000C.00000002.497785032.0000000000FC0000.00000002.00000001.sdmp, AAAstarupxxzzzgb.exe, 00000016.00000002.497120798.0000000000E40000.00000002.00000001.sdmp, RegAsm.exe, 00000017.00000002.498270397.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: RegAsm.exe, 0000000C.00000002.497785032.0000000000FC0000.00000002.00000001.sdmp, AAAstarupxxzzzgb.exe, 00000016.00000002.497120798.0000000000E40000.00000002.00000001.sdmp, RegAsm.exe, 00000017.00000002.498270397.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: RegAsm.exe, 0000000C.00000002.508533453.00000000059BB000.00000004.00000001.sdmpBinary or memory string: lProgram Manager
          Source: C:\Users\user\Desktop\20014464370.PDF.exeQueries volume information: C:\Users\user\Desktop\20014464370.PDF.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeQueries volume information: C:\Users\user\AppData\Local\lkjhgfs.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\lkjhgfs.exeQueries volume information: C:\Users\user\AppData\Local\lkjhgfs.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\20014464370.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: 20014464370.PDF.exe, 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegAsm.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: RegAsm.exe, 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: lkjhgfs.exe, 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: lkjhgfs.exe, 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegAsm.exe, 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegAsm.exe, 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20014464370.PDF.exe PID: 5480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 964, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 5188, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: lkjhgfs.exe PID: 1848, type: MEMORY
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deb12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.437ca88.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3c2e6e8.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d81c1.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3deff64.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f84629.23.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4f80000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3aae278.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e8e6e8.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bb66a8.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41ced62.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.378458d.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.RegAsm.exe.3df458d.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4338d61.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.432ca68.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e166a8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3e3e6c8.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377b12e.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.41fc618.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.377ff64.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.41d3b98.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40b9625.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.432f902.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.lkjhgfs.exe.3bde6c8.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40ad3f1.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.40cdc52.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.RegAsm.exe.4334738.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.lkjhgfs.exe.3d0e278.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.20014464370.PDF.exe.4304a48.6.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Process Injection312Masquerading11Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information13Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          20014464370.PDF.exe29%VirustotalBrowse
          20014464370.PDF.exe15%ReversingLabsByteCode-MSIL.Downloader.Seraph

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\RegAsm.exe0%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
          C:\Users\user\AppData\Local\lkjhgfs.exe15%ReversingLabsByteCode-MSIL.Downloader.Seraph

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          12.2.RegAsm.exe.4f80000.22.unpack100%AviraTR/NanoCore.fadteDownload File
          23.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          23.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          23.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          12.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          12.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          12.0.RegAsm.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          startedhere.ddns.net9%VirustotalBrowse
          startedhere.ddns.net0%Avira URL Cloudsafe
          23.105.131.1425%VirustotalBrowse
          23.105.131.1420%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          startedhere.ddns.nettrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          23.105.131.142true
          • 5%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://us1.unwiredlabs.com/v2/process.phplkjhgfs.exe, AAAstarupxxzzzgb.exe, 20014464370.PDF.exefalse
            high
            http://us1.unwiredlabs.com/v2/process.php?application/json;RegAsm.exe, 0000000C.00000002.509338103.0000000006C1C000.00000004.00000001.sdmp, AAAstarupxxzzzgb.exe.12.drfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              23.105.131.142
              unknownUnited States
              396362LEASEWEB-USA-NYC-11UStrue

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:432418
              Start date:10.06.2021
              Start time:10:16:15
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 48s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:20014464370.PDF.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:25
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@9/10@0/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 0.3% (good quality ratio 0.2%)
              • Quality average: 62.6%
              • Quality standard deviation: 26.5%
              HCA Information:
              • Successful, ratio: 91%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              10:17:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lkjhgfs "C:\Users\user\AppData\Local\lkjhgfs.exe"
              10:18:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lkjhgfs "C:\Users\user\AppData\Local\lkjhgfs.exe"

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              23.105.131.142DHL#DOCUMENTS001010.PDF.exeGet hashmaliciousBrowse
                RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                  RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                      QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                        ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                          RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                            RFQ#QQO2103060.PDF.exeGet hashmaliciousBrowse
                              AWBSHIPMENT20210000900.PDF.exeGet hashmaliciousBrowse
                                Order#PPO040963RG02.PDF.exeGet hashmaliciousBrowse
                                  iOI0kJwm97.exeGet hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    LEASEWEB-USA-NYC-11USDHL#DOCUMENTS001010.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    2lt24JqVH4.exeGet hashmaliciousBrowse
                                    • 23.105.131.207
                                    RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    XVIdVNjoHl.exeGet hashmaliciousBrowse
                                    • 23.105.131.173
                                    cKWxEAbeX7.exeGet hashmaliciousBrowse
                                    • 23.105.131.251
                                    apWkH5Vq75.exeGet hashmaliciousBrowse
                                    • 23.105.131.141
                                    RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Urgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    Purchase Order.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    Scanned Documents.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    ORDER#INQUIRY000111.PDF.exeGet hashmaliciousBrowse
                                    • 23.105.131.142
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    9849858 PO.exeGet hashmaliciousBrowse
                                    • 23.105.131.166
                                    Yeni sipari_ WJO-001, pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    061195d6_by_Libranalysis.exeGet hashmaliciousBrowse
                                    • 23.105.131.158
                                    URGENT ORDER 2T6U545267,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    ORDER QUOTE CBM787563788265542,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.132
                                    PO ____-34002174,pdf.exeGet hashmaliciousBrowse
                                    • 23.105.131.141

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\RegAsm.exeaXgdOUvL9L.exeGet hashmaliciousBrowse
                                      DHL#DOCUMENTS001010.PDF.exeGet hashmaliciousBrowse
                                        kyIfnzzg3E.exeGet hashmaliciousBrowse
                                          flyZab7hHk.exeGet hashmaliciousBrowse
                                            AedJpyQ9lM.exeGet hashmaliciousBrowse
                                              UPDATED SOA.exeGet hashmaliciousBrowse
                                                qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                                  RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                                    Receiptn.exeGet hashmaliciousBrowse
                                                      PURCHASE LIST.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Trojan.PackedNET.783.10804.exeGet hashmaliciousBrowse
                                                          Y6k2VgaGck.exeGet hashmaliciousBrowse
                                                            Bank swift.exeGet hashmaliciousBrowse
                                                              tT1XWdxOYv.exeGet hashmaliciousBrowse
                                                                363IN050790620 BOOKING.exeGet hashmaliciousBrowse
                                                                  New Order.exeGet hashmaliciousBrowse
                                                                    RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                                                      DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse
                                                                        QOUTATION#2300003590.PDF.exeGet hashmaliciousBrowse
                                                                          1p037oXV3S.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20014464370.PDF.exe.log
                                                                            Process:C:\Users\user\Desktop\20014464370.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:true
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lkjhgfs.exe.log
                                                                            Process:C:\Users\user\AppData\Local\lkjhgfs.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):425
                                                                            Entropy (8bit):5.340009400190196
                                                                            Encrypted:false
                                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                            C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):555384
                                                                            Entropy (8bit):7.863587847620472
                                                                            Encrypted:false
                                                                            SSDEEP:12288:hnn0UORILclLBvmhcdL/4tWKG1Gu7iTQezjBwEHZ2TG:t0TILcUcN/4tc1Gu7KzuEHZ2y
                                                                            MD5:C7330A70647D84A218BBE2E6D245DCE3
                                                                            SHA1:91BB54E5B469BE1429216537721CBAF88FCBFD29
                                                                            SHA-256:437A44B0CBC1CDEA568E82DFBDB6A08B34C4C478FEF392F53C9D3E86BC785B44
                                                                            SHA-512:AA741C300346B004535629F3901366F6C65E4A05AC43BC915306FC6A6793FF68CC1F458074D95B5B10BCFE04E37D9BFBB8ABBABEC710EAFD8A3AD1E93034A6E5
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe, Author: Joe Security
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cQ...............0..*...*.......I... ........@.. ....................................@..................................H..O....`...'...........V..x#...........H............................................... ............... ..H............text...4)... ...*.................. ..`.rsrc....'...`...(...,..............@..@.reloc...............T..............@..B.................I......H.......\,..d............*..p............................................(....*..(....(...........s....o......}....*.0..F.......(....r...po.....s.......o....(.....o....o........,..o......,..o......*...........0..........*:.......~....*.......*..0..'..........+. ....(......Y..-.s....o.....{....*..{....*"..}....*..{....*"..}....*>..(......(....*..{....*"..}....*..{....*"..}....*>..(......(....*..0..b........s......s.....r9..p.o.........(....(....r]..p.o.........(....(.....(....
                                                                            C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Process:C:\Users\user\Desktop\20014464370.PDF.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):64616
                                                                            Entropy (8bit):6.037264560032456
                                                                            Encrypted:false
                                                                            SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                            MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                            SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                            SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                            SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: aXgdOUvL9L.exe, Detection: malicious, Browse
                                                                            • Filename: DHL#DOCUMENTS001010.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: kyIfnzzg3E.exe, Detection: malicious, Browse
                                                                            • Filename: flyZab7hHk.exe, Detection: malicious, Browse
                                                                            • Filename: AedJpyQ9lM.exe, Detection: malicious, Browse
                                                                            • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                            • Filename: qdFDmi3Bhy.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ27559404D4E5A.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: Receiptn.exe, Detection: malicious, Browse
                                                                            • Filename: PURCHASE LIST.exe, Detection: malicious, Browse
                                                                            • Filename: SecuriteInfo.com.Trojan.PackedNET.783.10804.exe, Detection: malicious, Browse
                                                                            • Filename: Y6k2VgaGck.exe, Detection: malicious, Browse
                                                                            • Filename: Bank swift.exe, Detection: malicious, Browse
                                                                            • Filename: tT1XWdxOYv.exe, Detection: malicious, Browse
                                                                            • Filename: 363IN050790620 BOOKING.exe, Detection: malicious, Browse
                                                                            • Filename: New Order.exe, Detection: malicious, Browse
                                                                            • Filename: RFQ#21040590409448.pdf.exe, Detection: malicious, Browse
                                                                            • Filename: DHL#DOCUMENTS02010910.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: QOUTATION#2300003590.PDF.exe, Detection: malicious, Browse
                                                                            • Filename: 1p037oXV3S.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                            C:\Users\user\AppData\Local\lkjhgfs.exe
                                                                            Process:C:\Users\user\Desktop\20014464370.PDF.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):675888
                                                                            Entropy (8bit):7.810992682624759
                                                                            Encrypted:false
                                                                            SSDEEP:12288:Xd4tWKG1Gu7iTQezjBwIw77rMNksUCT/jVOf/kx9gjEe8F3G:Xd4tc1Gu7KzuIw77fCT/jVssrgjXMG
                                                                            MD5:CAC542CD84BE91EA0ACFB9CD1964397D
                                                                            SHA1:339D543A12E1F849BFE14A71C4A05106380548AB
                                                                            SHA-256:49C28C9AB46C71450929FFC850DC411CF24F125659CC253F0EE5FB16A59E3F7F
                                                                            SHA-512:4EF0EAC7564794439EB4642DFF1A5861D44382918C7B334EAF99B791B0F848E428E9609E2C1A3DC965E7E66FD64A72590C6D3AA3CE1C1FF36188E4F083E8231F
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\lkjhgfs.exe, Author: Joe Security
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 15%
                                                                            Reputation:low
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.`.................D..........~b... ........@.. ....................................@.................................0b..K.................... ..00...`....................................................... ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc.......`......................@..B................`b......H........A..x/..........<q...............................................0..N.......8=...8C...8....(....8....8....8....(....8....8....8.....:....8.....:....8....*...*..&~.......*...~....*..0..........8U.......E........8....~....r...pr...po....8....~....rS..prs..po....8....s.....:....&8E...s.....:O...&8....8/...89...s.....:C...&8....~....r...pr...po....8....s.........8....*8.........8....8......... ....~}...:2...&8(...8g........8.....0..H..........9....8....&:....8....8....&8.
                                                                            C:\Users\user\AppData\Local\lkjhgfs.exe:Zone.Identifier
                                                                            Process:C:\Users\user\Desktop\20014464370.PDF.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):232
                                                                            Entropy (8bit):7.024371743172393
                                                                            Encrypted:false
                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                            Malicious:false
                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):8
                                                                            Entropy (8bit):2.75
                                                                            Encrypted:false
                                                                            SSDEEP:3:Gktn:P
                                                                            MD5:1D19602EA24916F09701CCCB05905182
                                                                            SHA1:3D5926272B97E33D9F7F0FF44FB09DEEF7209B55
                                                                            SHA-256:7BEB1EE881354A985031267FBC99B9D238AF7A2C40ACEAD51B5608880A18646C
                                                                            SHA-512:39D29AF3B6FF772E6CB9A7D9354B93F4CED2E65A6BD2F2BC1A5CE7567C869A2773A0D1750A65DD72227DDA642831C62FFD6719EE34EF7787E2114581E2B8AC46
                                                                            Malicious:true
                                                                            Preview: ..H.3,.H
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):40
                                                                            Entropy (8bit):5.153055907333276
                                                                            Encrypted:false
                                                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                            Malicious:false
                                                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                            Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):327432
                                                                            Entropy (8bit):7.99938831605763
                                                                            Encrypted:true
                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                            Malicious:false
                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.810992682624759
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:20014464370.PDF.exe
                                                                            File size:675888
                                                                            MD5:cac542cd84be91ea0acfb9cd1964397d
                                                                            SHA1:339d543a12e1f849bfe14a71c4a05106380548ab
                                                                            SHA256:49c28c9ab46c71450929ffc850dc411cf24f125659cc253f0ee5fb16a59e3f7f
                                                                            SHA512:4ef0eac7564794439eb4642dff1a5861d44382918c7b334eaf99b791b0f848e428e9609e2c1a3dc965e7e66fd64a72590c6d3aa3ce1c1ff36188e4f083e8231f
                                                                            SSDEEP:12288:Xd4tWKG1Gu7iTQezjBwIw77rMNksUCT/jVOf/kx9gjEe8F3G:Xd4tc1Gu7KzuIw77fCT/jVssrgjXMG
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.`.................D..........~b... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:e0c4a694a4c6e470

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x48627e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x60C1470F [Wed Jun 9 22:56:15 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Authenticode Signature

                                                                            Signature Valid:false
                                                                            Signature Issuer:CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                            Error Number:-2146869232
                                                                            Not Before, Not After
                                                                            • 8/25/2020 6:42:07 AM 8/26/2023 6:42:07 AM
                                                                            Subject Chain
                                                                            • CN=win.rar GmbH, O=win.rar GmbH, L=Berlin, S=Berlin, C=DE
                                                                            Version:3
                                                                            Thumbprint MD5:185DBD4A2E2671589EEB3E7E1920EA9F
                                                                            Thumbprint SHA-1:B3DF816A17A25557316D181DDB9F46254D6D8CA0
                                                                            Thumbprint SHA-256:66DB1C86D38273627C837F4638122FA88BBFFFF31C4052115B98CAF6CE0C631E
                                                                            Serial:731D40AE3F3A1FB2BC3D8395

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x862300x4b.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x1d6b8.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xa20000x3030.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x842840x84400False0.982798469991data7.98698784379IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x880000x1d6b80x1d800False0.311788268008data6.0595283491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x882200x468GLS_BINARY_LSB_FIRST
                                                                            RT_ICON0x886880x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0x897300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0x8bcd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                            RT_ICON0x8ff000x10828dBase III DBT, version number 0, next free block index 40
                                                                            RT_ICON0xa07280x49d5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                            RT_GROUP_ICON0xa51000x5adata
                                                                            RT_VERSION0xa515c0x3a8data
                                                                            RT_MANIFEST0xa55040x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright Opera Software 2021
                                                                            Assembly Version75.0.3969.171
                                                                            InternalNameaanjkcxzs.exe
                                                                            FileVersion75.0.3969.171
                                                                            CompanyNameOpera Software
                                                                            LegalTrademarks
                                                                            CommentsOpera Installer
                                                                            ProductNameOpera Installer
                                                                            ProductVersion75.0.3969.171
                                                                            FileDescriptionOpera Installer
                                                                            OriginalFilenameaanjkcxzs.exe

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            06/10/21-10:18:03.249452TCP2025019ET TROJAN Possible NanoCore C2 60B497302092192.168.2.523.105.131.142

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jun 10, 2021 10:18:02.873836994 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:03.210462093 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:03.210633039 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:03.249452114 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:03.611850023 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:03.620333910 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:03.954127073 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:03.954245090 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.335350990 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.335542917 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.705265045 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.746774912 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.747026920 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.747104883 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.747215986 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.748337984 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.748613119 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.748691082 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.748976946 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.749048948 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.749278069 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.750730991 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.753504992 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:04.759282112 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.759372950 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:04.759480953 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.080476999 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.080559015 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.080682039 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.081765890 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.082453966 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.082557917 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.082568884 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.082607985 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.091182947 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.091233969 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.091301918 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.092722893 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.092801094 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.093509912 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.093682051 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.094142914 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.094249964 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.095736980 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.095803022 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.095871925 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.100080967 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.100142956 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.100230932 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.101262093 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.101339102 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.101361036 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.102252007 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.103344917 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.103605032 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.103715897 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.106913090 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.415034056 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.415072918 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.415211916 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.415307999 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.416018009 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.416240931 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.416315079 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.417304039 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.417346001 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.417391062 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.418348074 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.418431997 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.418441057 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.424108982 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.424321890 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.424415112 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.425390005 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.425471067 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.425487041 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.426213026 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.426328897 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.426389933 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.434371948 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.434484005 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.434561014 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.434912920 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.434984922 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.435215950 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.436058998 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.436130047 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.436326981 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.437478065 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.437808990 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.442033052 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.442343950 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.442424059 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.443315983 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.444051981 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.444195986 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.444247961 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.445084095 CEST20924973023.105.131.142192.168.2.5
                                                                            Jun 10, 2021 10:18:05.445138931 CEST497302092192.168.2.523.105.131.142
                                                                            Jun 10, 2021 10:18:05.445239067 CEST20924973023.105.131.142192.168.2.5

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Start time:10:17:01
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\Desktop\20014464370.PDF.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\20014464370.PDF.exe'
                                                                            Imagebase:0xe10000
                                                                            File size:675888 bytes
                                                                            MD5 hash:CAC542CD84BE91EA0ACFB9CD1964397D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.342623985.00000000041FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.341859487.0000000003161000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000000.218918618.0000000000E12000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.342734107.00000000042DD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.341051840.0000000000E12000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.342922605.000000000437C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            General

                                                                            Start time:10:17:58
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
                                                                            Imagebase:0x440000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508404585.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.509028437.0000000006560000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508963267.0000000006520000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508342634.00000000051F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508342634.00000000051F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508356430.0000000005200000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508356430.0000000005200000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.508139093.0000000004F80000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.340662970.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.498724882.0000000002731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.339849220.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508978041.0000000006530000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508978041.0000000006530000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508467673.0000000005250000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508467673.0000000005250000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.504714336.000000000432F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508108370.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508108370.0000000004F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.509043380.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.509043380.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.503817122.0000000003FFE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508990820.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508990820.0000000006540000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.503247081.0000000003731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508451814.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508451814.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.509338103.0000000006C1C000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.493405932.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.508629806.0000000005C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.508629806.0000000005C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.504360558.00000000041CE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.509088108.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.509088108.00000000065B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.504504197.0000000004244000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Virustotal, Browse
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:high

                                                                            General

                                                                            Start time:10:18:07
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\AppData\Local\lkjhgfs.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\lkjhgfs.exe'
                                                                            Imagebase:0x7b0000
                                                                            File size:675888 bytes
                                                                            MD5 hash:CAC542CD84BE91EA0ACFB9CD1964397D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000000.359197318.00000000007B2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.489565052.0000000003E8E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.486837759.0000000002C00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.486775398.0000000002BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000F.00000002.485697797.00000000007B2000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.487979449.0000000003D0E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.488625589.0000000003DEF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\lkjhgfs.exe, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 15%, ReversingLabs
                                                                            Reputation:low

                                                                            General

                                                                            Start time:10:18:15
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\AppData\Local\lkjhgfs.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\lkjhgfs.exe'
                                                                            Imagebase:0x540000
                                                                            File size:675888 bytes
                                                                            MD5 hash:CAC542CD84BE91EA0ACFB9CD1964397D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000000.377243556.0000000000542000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.499016642.00000000029A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.504178420.0000000003C2E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.493302996.0000000000542000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.504008398.0000000003B8F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000011.00000002.498841834.0000000002951000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.503763443.0000000003AAE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:low

                                                                            General

                                                                            Start time:10:18:51
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe'
                                                                            Imagebase:0x50000
                                                                            File size:555384 bytes
                                                                            MD5 hash:C7330A70647D84A218BBE2E6D245DCE3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.497639798.0000000002441000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.493379288.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000000.453300542.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\AAAstarupxxzzzgb.exe, Author: Joe Security
                                                                            Reputation:low

                                                                            General

                                                                            Start time:10:19:05
                                                                            Start date:10/06/2021
                                                                            Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe gyujnbgh
                                                                            Imagebase:0xa40000
                                                                            File size:64616 bytes
                                                                            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.484413891.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.498671862.0000000002DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.493387609.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.498968741.0000000003DA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.485173449.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >