Loading ...

Play interactive tourEdit tour

Windows Analysis Report SHIPPING DOCS(CI,COO,BL,PL).exe

Overview

General Information

Sample Name:SHIPPING DOCS(CI,COO,BL,PL).exe
Analysis ID:451700
MD5:a614ffba80a73c65f65d075be87886bd
SHA1:9647d8a46aeff64a1fcfdf5f238c3396f07357ec
SHA256:e715b8999667ede59ec874c6f190278b068ce7d8c81a6f5a0137e4767976b801
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SHIPPING DOCS(CI,COO,BL,PL).exe (PID: 5592 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exe' MD5: A614FFBA80A73C65F65D075BE87886BD)
    • RegAsm.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6276 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp9759.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 6292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MONUMENTALIZE.exe (PID: 6744 cmdline: 'C:\Users\user\Filelike\MONUMENTALIZE.exe' MD5: A614FFBA80A73C65F65D075BE87886BD)
    • RegAsm.exe (PID: 6088 cmdline: 'C:\Users\user\Filelike\MONUMENTALIZE.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 6084 cmdline: 'C:\Users\user\Filelike\MONUMENTALIZE.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MONUMENTALIZE.exe (PID: 6780 cmdline: 'C:\Users\user\Filelike\MONUMENTALIZE.exe' MD5: A614FFBA80A73C65F65D075BE87886BD)
    • RegAsm.exe (PID: 4456 cmdline: 'C:\Users\user\Filelike\MONUMENTALIZE.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "616df0e9-bb3e-45eb-ad73-6f3f0560", "Group": "A-OBICUBANA", "Domain1": "oba.hopto.org", "Domain2": "oba.hopto.org", "Port": 1606, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?c"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x23a47:$a: NanoCore
    • 0x23aa0:$a: NanoCore
    • 0x23add:$a: NanoCore
    • 0x23b56:$a: NanoCore
    • 0x23aa9:$b: ClientPlugin
    • 0x23ae6:$b: ClientPlugin
    • 0x243e4:$b: ClientPlugin
    • 0x243f1:$b: ClientPlugin
    • 0x1b7bd:$e: KeepAlive
    • 0x23f31:$g: LogClientMessage
    • 0x23eb1:$i: get_Connected
    • 0x15a79:$j: #=q
    • 0x15aa9:$j: #=q
    • 0x15ae5:$j: #=q
    • 0x15b0d:$j: #=q
    • 0x15b3d:$j: #=q
    • 0x15b6d:$j: #=q
    • 0x15b9d:$j: #=q
    • 0x15bcd:$j: #=q
    • 0x15be9:$j: #=q
    • 0x15c19:$j: #=q
    00000025.00000002.825302289.0000000001280000.00000004.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000023.00000002.821184148.0000000000C60000.00000004.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          37.2.RegAsm.exe.1df03c68.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          37.2.RegAsm.exe.1df03c68.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          35.2.RegAsm.exe.1e879c8e.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0x145e3:$x1: NanoCore.ClientPluginHost
          • 0x2d5cf:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          • 0x14610:$x2: IClientNetworkHost
          • 0x2d5fc:$x2: IClientNetworkHost
          35.2.RegAsm.exe.1e879c8e.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x145e3:$x2: NanoCore.ClientPluginHost
          • 0x2d5cf:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0x156be:$s4: PipeCreated
          • 0x2e6aa:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          • 0x145fd:$s5: IClientLoggingHost
          • 0x2d5e9:$s5: IClientLoggingHost
          35.2.RegAsm.exe.1e879c8e.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 25 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 7080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 7080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 7080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 7080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"}
            Source: 00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "616df0e9-bb3e-45eb-ad73-6f3f0560", "Group": "A-OBICUBANA", "Domain1": "oba.hopto.org", "Domain2": "oba.hopto.org", "Port": 1606, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeReversingLabs: Detection: 34%
            Multi AV Scanner detection for submitted fileShow sources
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeVirustotal: Detection: 29%Perma Link
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeReversingLabs: Detection: 34%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e8830ed.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef2eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e87eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef2eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e87eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef330ed.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.830033657.000000001EEE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.825519300.000000001E831000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4456, type: MEMORY
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeJoe Sandbox ML: detected
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbZ source: RegAsm.exe, 00000015.00000003.854547103.0000000000EC6000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: oba.hopto.org
            Source: Malware configuration extractorURLs: https://onedrive.live.com/download?c
            Source: global trafficTCP traffic: 192.168.2.3:49752 -> 185.244.30.240:1606
            Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 00000015.00000003.1140287287.0000000000EB9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: RegAsm.exe, 00000015.00000003.1140287287.0000000000EB9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 00000015.00000003.861033991.0000000000EB9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 00000023.00000002.821184148.0000000000C60000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=A1934E1334067A24&resid=A1934E1334067A24%212090&authkey=AFqo8q
            Source: SHIPPING DOCS(CI,COO,BL,PL).exe, 00000000.00000002.530945413.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: RegAsm.exe, 00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e8830ed.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef2eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e87eac4.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef2eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.RegAsm.exe.1e87eac4.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 37.2.RegAsm.exe.1ef330ed.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.830033657.000000001EEE1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.825519300.000000001E831000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4456, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 37.2.RegAsm.exe.1df03c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 35.2.RegAsm.exe.1e8830ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 37.2.RegAsm.exe.1ef2eac4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 35.2.RegAsm.exe.1e87eac4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 37.2.RegAsm.exe.1ef2eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 35.2.RegAsm.exe.1d853c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 35.2.RegAsm.exe.1e87eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 37.2.RegAsm.exe.1ef330ed.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000025.00000002.830033657.000000001EEE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000023.00000002.825519300.000000001E831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: RegAsm.exe PID: 4456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF62A30_2_02AF62A3
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF069F0_2_02AF069F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF16910_2_02AF1691
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF72F50_2_02AF72F5
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF563F0_2_02AF563F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF2A7F0_2_02AF2A7F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF4E710_2_02AF4E71
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF46450_2_02AF4645
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF5A430_2_02AF5A43
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF62510_2_02AF6251
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF2B8E0_2_02AF2B8E
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF6F880_2_02AF6F88
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF4F9D0_2_02AF4F9D
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF4FCC0_2_02AF4FCC
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF2BDC0_2_02AF2BDC
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF77D90_2_02AF77D9
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF3B1B0_2_02AF3B1B
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF0B130_2_02AF0B13
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF33680_2_02AF3368
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF13650_2_02AF1365
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF2B700_2_02AF2B70
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF3B430_2_02AF3B43
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF0B550_2_02AF0B55
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF5C850_2_02AF5C85
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF6C830_2_02AF6C83
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF78950_2_02AF7895
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF44FF0_2_02AF44FF
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF34F80_2_02AF34F8
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF14DF0_2_02AF14DF
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF24230_2_02AF2423
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF080F0_2_02AF080F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF146B0_2_02AF146B
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF304F0_2_02AF304F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF544B0_2_02AF544B
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF64530_2_02AF6453
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF51870_2_02AF5187
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF59820_2_02AF5982
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF799F0_2_02AF799F
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF11FD0_2_02AF11FD
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF65CE0_2_02AF65CE
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF5DD20_2_02AF5DD2
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF31D10_2_02AF31D1
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF79200_2_02AF7920
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF210E0_2_02AF210E
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF71040_2_02AF7104
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF51120_2_02AF5112
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF41670_2_02AF4167
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF11740_2_02AF1174
            Source: C:\Users\user\Desktop\SHIPPING DOCS(CI,COO,BL,PL).exeCode function: 0_2_02AF65580_2_02AF6558
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 30_2_053D01B730_2_053D01B7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C152D332_2_02C152D3
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C152D932_2_02C152D9
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C166E632_2_02C166E6
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C10AF332_2_02C10AF3
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C10EF532_2_02C10EF5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C10AFB32_2_02C10AFB
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C142FF32_2_02C142FF
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1169432_2_02C11694
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C152A532_2_02C152A5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C162B532_2_02C162B5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11E4332_2_02C11E43
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1165F32_2_02C1165F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C12A6532_2_02C12A65
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C15A6B32_2_02C15A6B
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1460732_2_02C14607
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1761532_2_02C17615
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1562F32_2_02C1562F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1463A32_2_02C1463A
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C13FC232_2_02C13FC2
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11FD532_2_02C11FD5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C177D932_2_02C177D9
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C15F9B32_2_02C15F9B
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C16F9B32_2_02C16F9B
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C147B532_2_02C147B5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C157B432_2_02C157B4
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1675F32_2_02C1675F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1337532_2_02C13375
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1530632_2_02C15306
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11B2332_2_02C11B23
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C170C232_2_02C170C2
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C168E732_2_02C168E7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C14CF032_2_02C14CF0
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C144FF32_2_02C144FF
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C15C8532_2_02C15C85
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C14C9332_2_02C14C93
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C16C9C32_2_02C16C9C
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C164A332_2_02C164A3
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11C4432_2_02C11C44
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C16C4832_2_02C16C48
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1245132_2_02C12451
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1685E32_2_02C1685E
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11C6C32_2_02C11C6C
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1547F32_2_02C1547F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C11C1532_2_02C11C15
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C165CE32_2_02C165CE
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C131E732_2_02C131E7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C15DF732_2_02C15DF7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C15DFC32_2_02C15DFC
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1598132_2_02C15981
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1519732_2_02C15197
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1799F32_2_02C1799F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1514D32_2_02C1514D
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C10D6832_2_02C10D68
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1556832_2_02C15568
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1417132_2_02C14171
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C17D0732_2_02C17D07
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1511332_2_02C15113
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 32_2_02C1792B32_2_02C1792B
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA36A733_2_02AA36A7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA52A533_2_02AA52A5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA2A8033_2_02AA2A80
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA5AED33_2_02AA5AED
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA52DF33_2_02AA52DF
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA562F33_2_02AA562F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA062533_2_02AA0625
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA066233_2_02AA0662
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA067033_2_02AA0670
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA3E4733_2_02AA3E47
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA1E4433_2_02AA1E44
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA5FA333_2_02AA5FA3
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA5FA533_2_02AA5FA5
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA3F9733_2_02AA3F97
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA1B2F33_2_02AA1B2F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA3B1B33_2_02AA3B1B
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA531933_2_02AA5319
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA336833_2_02AA3368
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA436133_2_02AA4361
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA4B6733_2_02AA4B67
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA136533_2_02AA1365
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA5C8533_2_02AA5C85
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA6C9933_2_02AA6C99
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA549D33_2_02AA549D
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA749033_2_02AA7490
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA44FF33_2_02AA44FF
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA243F33_2_02AA243F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA640333_2_02AA6403
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA1C1933_2_02AA1C19
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA1C7F33_2_02AA1C7F
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA645333_2_02AA6453
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA1C5033_2_02AA1C50
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA11AD33_2_02AA11AD
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA598333_2_02AA5983
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA518733_2_02AA5187
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA31E733_2_02AA31E7
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA65D333_2_02AA65D3
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA350333_2_02AA3503
            Source: C:\Users\user\Filelike\MONUMENTALIZE.exeCode function: 33_2_02AA655833_2_02AA6558
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 35_2_1F9623A035_2_1F9623A0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 35_2_1F962FA835_2_1F962FA8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 35_2_1F96385035_2_1F963850
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 35_2_1F96306F35_2_1F96306F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 37_2_20082FA837_2_20082FA8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 37_2_200823A037_2_200823A0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 37_2_2008306F37_2_2008306F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: String function: 00F1D617 appears 77 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: String function: 00F1E4DC appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: String function: 00F14A84 appears 77 times
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: MONUMENTALIZE.exe.21.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SHIPPING DOCS(CI,COO,BL,PL).exe, 00000000.00000002.530816433.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameradiomodtagningen.exe vs SHIPPING DOCS(CI,COO,BL,PL).exe
            Source: SHIPPING DOCS(CI,COO,BL,PL).exe, 00000000.00000002.531000085.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SHIPPING DOCS(CI,COO,BL,PL).exe
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeBinary or memory string: OriginalFilenameradiomodtagningen.exe vs SHIPPING DOCS(CI,COO,BL,PL).exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: SHIPPING DOCS(CI,COO,BL,PL).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: 37.2.RegAsm.exe.1df03c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 37.2.RegAsm.exe.1df03c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 35.2.RegAsm.exe.1e879c8e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 35.2.RegAsm.exe.1e8830ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 35.2.RegAsm.exe.1e8830ed.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 37.2.RegAsm.exe.1ef2eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 37.2.RegAsm.exe.1ef2eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 35.2.RegAsm.exe.1e87eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 35.2.RegAsm.exe.1e87eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 37.2.RegAsm.exe.1ef2eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 37.2.RegAsm.exe.1ef2eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 35.2.RegAsm.exe.1d853c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 35.2.RegAsm.exe.1d853c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 35.2.RegAsm.exe.1e87eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 35.2.RegAsm.exe.1e87eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 37.2.RegAsm.exe.1ef29c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 37.2.RegAsm.exe.1ef330ed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 37.2.RegAsm.exe.1ef330ed.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000025.00000002.829961719.000000001DEE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000023.00000002.825410372.000000001D831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000025.00000002.830033657.000000001EEE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = htt