Edit tour

Windows Analysis Report
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Overview

General Information

Sample Name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Analysis ID:	714049
MD5:	c5ca6bf1a4d668abae8a1bd58da7fa89
SHA1:	1fb0c57d1ea566b703be21a5dd2334166f5a918e
SHA256:	f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Creates processes with suspicious names

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 3256 cmdline: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 1592 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 4128 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 5176 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2264 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 3260 cmdline: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0 MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 3736 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 5000 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

dhcpmon.exe (PID: 1680 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 920 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 1276 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

dhcpmon.exe (PID: 2068 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 5716 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 2760 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bcd7727e-ef56-4958-8ed9-949f5c5e", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "185.225.73.164", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x26b4:$a1: NanoCore.ClientPluginHost 0x268f:$a2: NanoCore.ClientPlugin 0x26a5:$b4: IClientAppHost 0x6b94:$b7: LogClientException 0x26de:$b9: IClientLoggingHost
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x43653:$a1: NanoCore.ClientPluginHost 0x56dc1:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x43616:$a2: NanoCore.ClientPlugin 0x56d8c:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439ea:$b1: get_BuilderSettings 0x5bd07:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a1:$b4: IClientAppHost 0x43a5b:$b6: AddHostEntry 0x43aca:$b7: LogClientException 0x5bc76:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a3f:$b8: PipeExists 0x4368e:$b9: IClientLoggingHost 0x56ddb:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc7a3:$a: NanoCore 0xc7fc:$a: NanoCore 0xc82f:$a: NanoCore 0xca5b:$a: NanoCore 0xcad7:$a: NanoCore 0xd0f0:$a: NanoCore 0xd239:$a: NanoCore 0xd70d:$a: NanoCore 0xd9f4:$a: NanoCore 0xda0b:$a: NanoCore 0x168ef:$a: NanoCore 0x1696b:$a: NanoCore 0x1924e:$a: NanoCore 0x1da00:$a: NanoCore 0x1da4a:$a: NanoCore 0x1e6a4:$a: NanoCore 0x23ccd:$a: NanoCore 0x23d47:$a: NanoCore 0x2e31f:$a: NanoCore 0x2e409:$a: NanoCore 0x2f280:$a: NanoCore
00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xca5b:$a1: NanoCore.ClientPluginHost 0x168ef:$a1: NanoCore.ClientPluginHost 0x1da00:$a1: NanoCore.ClientPluginHost 0x23ccd:$a1: NanoCore.ClientPluginHost 0x2e31f:$a1: NanoCore.ClientPluginHost 0x3878f:$a1: NanoCore.ClientPluginHost 0x437b5:$a1: NanoCore.ClientPluginHost 0x4f59f:$a1: NanoCore.ClientPluginHost 0x5b35e:$a1: NanoCore.ClientPluginHost 0xcad7:$a2: NanoCore.ClientPlugin 0x1696b:$a2: NanoCore.ClientPlugin 0x1da4a:$a2: NanoCore.ClientPlugin 0x23d47:$a2: NanoCore.ClientPlugin 0x2e409:$a2: NanoCore.ClientPlugin 0x3882f:$a2: NanoCore.ClientPlugin 0x4378c:$a2: NanoCore.ClientPlugin 0x4f576:$a2: NanoCore.ClientPlugin 0x5b339:$a2: NanoCore.ClientPlugin 0x5b34f:$b4: IClientAppHost 0x174f4:$b7: LogClientException 0x24468:$b7: LogClientException
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb4197:$a: NanoCore 0xb41bc:$a: NanoCore 0xb4215:$a: NanoCore 0xc43b4:$a: NanoCore 0xc43da:$a: NanoCore 0xc4436:$a: NanoCore 0xd128d:$a: NanoCore 0xd12e6:$a: NanoCore 0xd1319:$a: NanoCore 0xd1545:$a: NanoCore 0xd15c1:$a: NanoCore 0xd1bda:$a: NanoCore 0xd1d23:$a: NanoCore 0xd21f7:$a: NanoCore 0xd24de:$a: NanoCore 0xd24f5:$a: NanoCore 0xdb399:$a: NanoCore 0xdb415:$a: NanoCore 0xddcf8:$a: NanoCore 0xe10aa:$a: NanoCore 0xe2466:$a: NanoCore
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb41bc:$a1: NanoCore.ClientPluginHost 0xc43da:$a1: NanoCore.ClientPluginHost 0xd1545:$a1: NanoCore.ClientPluginHost 0xdb399:$a1: NanoCore.ClientPluginHost 0xe2466:$a1: NanoCore.ClientPluginHost 0xe86f1:$a1: NanoCore.ClientPluginHost 0xf2d02:$a1: NanoCore.ClientPluginHost 0xfd12f:$a1: NanoCore.ClientPluginHost 0x10810e:$a1: NanoCore.ClientPluginHost 0x113eb2:$a1: NanoCore.ClientPluginHost 0x138db8:$a1: NanoCore.ClientPluginHost 0x1481fa:$a1: NanoCore.ClientPluginHost 0x1514af:$a1: NanoCore.ClientPluginHost 0x164c1d:$a1: NanoCore.ClientPluginHost 0x172857:$a1: NanoCore.ClientPluginHost 0x182a73:$a1: NanoCore.ClientPluginHost 0x18fbdc:$a1: NanoCore.ClientPluginHost 0x1952cf:$a1: NanoCore.ClientPluginHost 0x19b558:$a1: NanoCore.ClientPluginHost 0x1a5b67:$a1: NanoCore.ClientPluginHost 0x1aff92:$a1: NanoCore.ClientPluginHost
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69617:$a: NanoCore 0x69670:$a: NanoCore 0x696ad:$a: NanoCore 0x69726:$a: NanoCore 0x69679:$b: ClientPlugin 0x696b6:$b: ClientPlugin 0x69fb4:$b: ClientPlugin 0x69fc1:$b: ClientPlugin 0x5f795:$e: KeepAlive 0x69b01:$g: LogClientMessage 0x69a81:$i: get_Connected 0x59a4d:$j: #=q 0x59a7d:$j: #=q 0x59ab9:$j: #=q 0x59ae1:$j: #=q 0x59b11:$j: #=q 0x59b41:$j: #=q 0x59b71:$j: #=q 0x59ba1:$j: #=q 0x59bbd:$j: #=q 0x59bed:$j: #=q
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x696ad:$a1: NanoCore.ClientPluginHost 0x69670:$a2: NanoCore.ClientPlugin 0x5af87:$b1: get_BuilderSettings 0x69a44:$b1: get_BuilderSettings 0x696fb:$b4: IClientAppHost 0x69ab5:$b6: AddHostEntry 0x5aef6:$b7: LogClientException 0x69b24:$b7: LogClientException 0x69a99:$b8: PipeExists 0x696e8:$b9: IClientLoggingHost
00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x557bf:$a: NanoCore 0x558a9:$a: NanoCore 0x56720:$a: NanoCore 0x5f8ca:$a: NanoCore 0x5f92b:$a: NanoCore 0x5f96e:$a: NanoCore 0x5f9ae:$a: NanoCore 0x5fbea:$a: NanoCore 0x5fc8a:$a: NanoCore 0x60462:$a: NanoCore 0x60a55:$a: NanoCore 0x60ba6:$a: NanoCore 0x61a00:$a: NanoCore 0x61c67:$a: NanoCore 0x61c7c:$a: NanoCore 0x61c9b:$a: NanoCore 0x6ab9e:$a: NanoCore 0x6abc7:$a: NanoCore 0x76940:$a: NanoCore 0x76969:$a: NanoCore 0x9b82c:$a: NanoCore
00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x557bf:$a1: NanoCore.ClientPluginHost 0x5fbea:$a1: NanoCore.ClientPluginHost 0x6abc7:$a1: NanoCore.ClientPluginHost 0x76969:$a1: NanoCore.ClientPluginHost 0x9b86d:$a1: NanoCore.ClientPluginHost 0xaacad:$a1: NanoCore.ClientPluginHost 0x558a9:$a2: NanoCore.ClientPlugin 0x5fc8a:$a2: NanoCore.ClientPlugin 0x6ab9e:$a2: NanoCore.ClientPlugin 0x76940:$a2: NanoCore.ClientPlugin 0x9b844:$a2: NanoCore.ClientPlugin 0xaac88:$a2: NanoCore.ClientPlugin 0xaac9e:$b4: IClientAppHost 0x57102:$b7: LogClientException 0x609e0:$b7: LogClientException 0x78cb2:$b7: LogClientException 0xa0898:$b7: LogClientException 0xaf18d:$b7: LogClientException 0x56715:$b8: PipeExists 0x557d9:$b9: IClientLoggingHost 0x5fc04:$b9: IClientLoggingHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc86dd:$x1: NanoCore.ClientPluginHost 0xc871a:$x2: IClientNetworkHost 0xcc24d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc8445:$a: NanoCore 0xc8455:$a: NanoCore 0xc8689:$a: NanoCore 0xc869d:$a: NanoCore 0xc86dd:$a: NanoCore 0xc84a4:$b: ClientPlugin 0xc86a6:$b: ClientPlugin 0xc86e6:$b: ClientPlugin 0xc85cb:$c: ProjectData 0xc8fd2:$d: DESCrypto 0xd099e:$e: KeepAlive 0xce98c:$g: LogClientMessage 0xcab87:$i: get_Connected 0xc9308:$j: #=q 0xc9338:$j: #=q 0xc9354:$j: #=q 0xc9384:$j: #=q 0xc93a0:$j: #=q 0xc93bc:$j: #=q 0xc93ec:$j: #=q 0xc9408:$j: #=q
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xc86dd:$a1: NanoCore.ClientPluginHost 0xc869d:$a2: NanoCore.ClientPlugin 0xca5f6:$b1: get_BuilderSettings 0xc84f9:$b2: ClientLoaderForm.resources 0xc9d16:$b3: PluginCommand 0xc86ce:$b4: IClientAppHost 0xd2b4e:$b5: GetBlockHash 0xcac4e:$b6: AddHostEntry 0xce941:$b7: LogClientException 0xcabbb:$b8: PipeExists 0xc8707:$b9: IClientLoggingHost
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27b0b:$a1: NanoCore.ClientPluginHost 0x27ae2:$a2: NanoCore.ClientPlugin 0x2cb36:$b7: LogClientException 0x27af8:$b9: IClientLoggingHost
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f5b5:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694cd:$a1: NanoCore.ClientPluginHost 0x69490:$a2: NanoCore.ClientPlugin 0x5ada7:$b1: get_BuilderSettings 0x69864:$b1: get_BuilderSettings 0x6951b:$b4: IClientAppHost 0x698d5:$b6: AddHostEntry 0x5ad16:$b7: LogClientException 0x69944:$b7: LogClientException 0x698b9:$b8: PipeExists 0x69508:$b9: IClientLoggingHost
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bda3:$a: NanoCore 0x3bdfc:$a: NanoCore 0x3be39:$a: NanoCore 0x3beb2:$a: NanoCore 0x50816:$a: NanoCore 0x5083b:$a: NanoCore 0x50894:$a: NanoCore 0x60aaf:$a: NanoCore 0x60ad5:$a: NanoCore 0x60b31:$a: NanoCore 0x3be05:$b: ClientPlugin 0x3be42:$b: ClientPlugin 0x3c740:$b: ClientPlugin 0x3c74d:$b: ClientPlugin 0x5060d:$b: ClientPlugin 0x5061e:$b: ClientPlugin 0x5064e:$b: ClientPlugin 0x5081f:$b: ClientPlugin 0x50844:$b: ClientPlugin 0x607eb:$b: ClientPlugin 0x60802:$b: ClientPlugin
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3be39:$a1: NanoCore.ClientPluginHost 0x5083b:$a1: NanoCore.ClientPluginHost 0x60ad5:$a1: NanoCore.ClientPluginHost 0x3bdfc:$a2: NanoCore.ClientPlugin 0x50816:$a2: NanoCore.ClientPlugin 0x60aaf:$a2: NanoCore.ClientPlugin 0x3c1d0:$b1: get_BuilderSettings 0x541d8:$b1: get_BuilderSettings 0x3be87:$b4: IClientAppHost 0x5082c:$b4: IClientAppHost 0x3c241:$b6: AddHostEntry 0x3c2b0:$b7: LogClientException 0x3c225:$b8: PipeExists 0x3be74:$b9: IClientLoggingHost 0x60aef:$b9: IClientLoggingHost
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2153dd:$x1: NanoCore.ClientPluginHost 0x21541a:$x2: IClientNetworkHost 0x218f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x215145:$a: NanoCore 0x215155:$a: NanoCore 0x215389:$a: NanoCore 0x21539d:$a: NanoCore 0x2153dd:$a: NanoCore 0x2151a4:$b: ClientPlugin 0x2153a6:$b: ClientPlugin 0x2153e6:$b: ClientPlugin 0x2152cb:$c: ProjectData 0x32d4a9:$c: ProjectData 0x36fe81:$c: ProjectData 0x215cd2:$d: DESCrypto 0x21d69e:$e: KeepAlive 0x21b68c:$g: LogClientMessage 0x217887:$i: get_Connected 0x216008:$j: #=q 0x216038:$j: #=q 0x216054:$j: #=q 0x216084:$j: #=q 0x2160a0:$j: #=q 0x2160bc:$j: #=q
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2153dd:$a1: NanoCore.ClientPluginHost 0x21539d:$a2: NanoCore.ClientPlugin 0x2172f6:$b1: get_BuilderSettings 0x2151f9:$b2: ClientLoaderForm.resources 0x216a16:$b3: PluginCommand 0x2153ce:$b4: IClientAppHost 0x21f84e:$b5: GetBlockHash 0x21794e:$b6: AddHostEntry 0x21b641:$b7: LogClientException 0x2178bb:$b8: PipeExists 0x215407:$b9: IClientLoggingHost
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x128be3:$x1: NanoCore.ClientPluginHost 0x1ac19e:$x1: NanoCore.ClientPluginHost 0x128c20:$x2: IClientNetworkHost 0x1ac1db:$x2: IClientNetworkHost 0x12c711:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x137797:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1af940:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ba8ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x126ed8:$s5: AEAAAAMAAQqVT 0x50090:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x104113:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x126e49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1f28f3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1288b0:$a: NanoCore 0x1288c0:$a: NanoCore 0x12897f:$a: NanoCore 0x12898e:$a: NanoCore 0x128b8f:$a: NanoCore 0x128ba3:$a: NanoCore 0x128be3:$a: NanoCore 0x133e01:$a: NanoCore 0x133e13:$a: NanoCore 0x133e4f:$a: NanoCore 0x1abeb5:$a: NanoCore 0x1abec5:$a: NanoCore 0x1abf3a:$a: NanoCore 0x1abf49:$a: NanoCore 0x1ac14a:$a: NanoCore 0x1ac15e:$a: NanoCore 0x1ac19e:$a: NanoCore 0x1b6f16:$a: NanoCore 0x1b6f28:$a: NanoCore 0x1b6f64:$a: NanoCore 0x12890f:$b: ClientPlugin
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x128be3:$a1: NanoCore.ClientPluginHost 0x1ac19e:$a1: NanoCore.ClientPluginHost 0x128ba3:$a2: NanoCore.ClientPlugin 0x1ac15e:$a2: NanoCore.ClientPlugin 0x12aaba:$b1: get_BuilderSettings 0x1adcf0:$b1: get_BuilderSettings 0x128964:$b2: ClientLoaderForm.resources 0x1abf1f:$b2: ClientLoaderForm.resources 0x12a1da:$b3: PluginCommand 0x1ad426:$b3: PluginCommand 0x128bd4:$b4: IClientAppHost 0x1ac18f:$b4: IClientAppHost 0x13300d:$b5: GetBlockHash 0x1b623c:$b5: GetBlockHash 0x12b112:$b6: AddHostEntry 0x136231:$b6: AddHostEntry 0x1ae341:$b6: AddHostEntry 0x1b9346:$b6: AddHostEntry 0x12ee05:$b7: LogClientException 0x139d72:$b7: LogClientException 0x1b2034:$b7: LogClientException
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe1ea:$x1: NanoCore.ClientPluginHost 0x1a7f4:$x1: NanoCore.ClientPluginHost 0x20f9d:$x1: NanoCore.ClientPluginHost 0x28fc0:$x1: NanoCore.ClientPluginHost 0x49a28:$x1: NanoCore.ClientPluginHost 0xd345d:$x1: NanoCore.ClientPluginHost 0xd7927:$x1: NanoCore.ClientPluginHost 0xf1e78:$x1: NanoCore.ClientPluginHost 0x11be61:$x1: NanoCore.ClientPluginHost 0x13f8f5:$x1: NanoCore.ClientPluginHost 0x17688a:$x1: NanoCore.ClientPluginHost 0x1893ea:$x1: NanoCore.ClientPluginHost 0x1939ac:$x1: NanoCore.ClientPluginHost 0x1a74a9:$x1: NanoCore.ClientPluginHost 0x1ac79f:$x1: NanoCore.ClientPluginHost 0x1c2cd9:$x1: NanoCore.ClientPluginHost 0x1c8368:$x1: NanoCore.ClientPluginHost 0x1d9469:$x1: NanoCore.ClientPluginHost 0x2116c0:$x1: NanoCore.ClientPluginHost 0xe204:$x2: IClientNetworkHost 0x1a80e:$x2: IClientNetworkHost
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe1a9:$a: NanoCore 0xe1c1:$a: NanoCore 0xe1ea:$a: NanoCore 0x12fe2:$a: NanoCore 0x12ff8:$a: NanoCore 0x1301f:$a: NanoCore 0x1a7cb:$a: NanoCore 0x1a7f4:$a: NanoCore 0x1cce9:$a: NanoCore 0x1cd10:$a: NanoCore 0x20f9d:$a: NanoCore 0x21017:$a: NanoCore 0x21de6:$a: NanoCore 0x21e59:$a: NanoCore 0x28f9b:$a: NanoCore 0x28fc0:$a: NanoCore 0x29019:$a: NanoCore 0x2cab5:$a: NanoCore 0x2cad8:$a: NanoCore 0x2cb2d:$a: NanoCore 0x420c9:$a: NanoCore
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe1ea:$a1: NanoCore.ClientPluginHost 0x1a7f4:$a1: NanoCore.ClientPluginHost 0x20f9d:$a1: NanoCore.ClientPluginHost 0x28fc0:$a1: NanoCore.ClientPluginHost 0x49a28:$a1: NanoCore.ClientPluginHost 0xd345d:$a1: NanoCore.ClientPluginHost 0xd7927:$a1: NanoCore.ClientPluginHost 0xf1e78:$a1: NanoCore.ClientPluginHost 0x11be61:$a1: NanoCore.ClientPluginHost 0x13f8f5:$a1: NanoCore.ClientPluginHost 0x17688a:$a1: NanoCore.ClientPluginHost 0x1893ea:$a1: NanoCore.ClientPluginHost 0x1939ac:$a1: NanoCore.ClientPluginHost 0x1a74a9:$a1: NanoCore.ClientPluginHost 0x1ac79f:$a1: NanoCore.ClientPluginHost 0x1c2cd9:$a1: NanoCore.ClientPluginHost 0x1c8368:$a1: NanoCore.ClientPluginHost 0x1d9469:$a1: NanoCore.ClientPluginHost 0x2116c0:$a1: NanoCore.ClientPluginHost 0xe1c1:$a2: NanoCore.ClientPlugin 0x1a7cb:$a2: NanoCore.ClientPlugin
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x8f3e:$s5: AEAAAAMAAQqVT 0x8eaf:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2570c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 1680	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x2cb21:$s5: AEAAAAMAAQqVT 0x202d5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2ca92:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 1680	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 2068	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x2cd64:$s5: AEAAAAMAAQqVT 0x56b3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2ccd5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 2068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5e65:$a: NanoCore 0x5ebe:$a: NanoCore 0x5efb:$a: NanoCore 0x5f74:$a: NanoCore 0x682d:$a: NanoCore 0x6880:$a: NanoCore 0x68b9:$a: NanoCore 0x692c:$a: NanoCore 0xdefe:$a: NanoCore 0xdf11:$a: NanoCore 0xdf43:$a: NanoCore 0x13c27:$a: NanoCore 0x13c3a:$a: NanoCore 0x13c6c:$a: NanoCore 0x1920e:$a: NanoCore 0x1926a:$a: NanoCore 0x192ea:$a: NanoCore 0x2ea7e:$a: NanoCore 0x2ead7:$a: NanoCore 0x2eb14:$a: NanoCore 0x2eb8d:$a: NanoCore
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5efb:$a1: NanoCore.ClientPluginHost 0x2eb14:$a1: NanoCore.ClientPluginHost 0x5ebe:$a2: NanoCore.ClientPlugin 0x2ead7:$a2: NanoCore.ClientPlugin 0x6275:$b1: get_BuilderSettings 0x28269:$b1: get_BuilderSettings 0x5f49:$b4: IClientAppHost 0x2eb62:$b4: IClientAppHost 0x62e6:$b6: AddHostEntry 0x2ee75:$b6: AddHostEntry 0x6355:$b7: LogClientException 0x281d8:$b7: LogClientException 0x62ca:$b8: PipeExists 0x2ee59:$b8: PipeExists 0x5f36:$b9: IClientLoggingHost 0x2eb4f:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 1276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 1276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4080:$a: NanoCore 0xaba9:$a: NanoCore 0xabbd:$a: NanoCore 0xb888:$a: NanoCore 0x14b99:$a: NanoCore 0x14bf5:$a: NanoCore 0x14c7d:$a: NanoCore 0x2a6a0:$a: NanoCore 0x2a6f9:$a: NanoCore 0x2a736:$a: NanoCore 0x2a7af:$a: NanoCore 0x2af3d:$a: NanoCore 0x2af90:$a: NanoCore 0x2afc9:$a: NanoCore 0x2b03c:$a: NanoCore 0x2bbfe:$a: NanoCore 0x25a03:$b: ClientPlugin 0x25a44:$b: ClientPlugin 0x2a702:$b: ClientPlugin 0x2a73f:$b: ClientPlugin 0x2aeed:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 1276	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2a736:$a1: NanoCore.ClientPluginHost 0x2a6f9:$a2: NanoCore.ClientPlugin 0x23e8b:$b1: get_BuilderSettings 0x2a784:$b4: IClientAppHost 0x2aa97:$b6: AddHostEntry 0x23dfa:$b7: LogClientException 0x2aa7b:$b8: PipeExists 0x2a771:$b9: IClientLoggingHost
Click to see the 107 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x921c:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x921c:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x92fa:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0x9236:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x9266:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x921c:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x927c:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x9236:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x8ff9:$s1: ClientPlugin 0x926f:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x921c:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x9266:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost 0x9236:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3875:$x1: NanoCore.ClientPluginHost 0x38ae:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3875:$x2: NanoCore.ClientPluginHost 0x3990:$s4: PipeCreated 0x388f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x38ef:$x2: NanoCore.ClientPlugin 0x3875:$x3: NanoCore.ClientPluginHost 0x3905:$i3: IClientNetwork 0x388f:$i6: IClientLoggingHost 0x38ae:$i7: IClientNetworkHost 0x360f:$s1: ClientPlugin 0x38f8:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3875:$a1: NanoCore.ClientPluginHost 0x38ef:$a2: NanoCore.ClientPlugin 0x4010:$b7: LogClientException 0x388f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x15877:$x1: NanoCore.ClientPluginHost 0x25b11:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x158a1:$x2: IClientNetworkHost 0x25b3e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x15877:$x2: NanoCore.ClientPluginHost 0x25b11:$x2: NanoCore.ClientPluginHost 0x26ae0:$s2: FileCommand 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x17727:$s4: PipeCreated 0x2b4e2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x25b2b:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x15852:$x2: NanoCore.ClientPlugin 0x25aeb:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x15877:$x3: NanoCore.ClientPluginHost 0x25b11:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x15843:$i3: IClientNetwork 0x25adc:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0x15868:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x15891:$i5: IClientDataHost 0x25b01:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x25b2b:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x158a1:$i7: IClientNetworkHost 0x25b3e:$i7: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x15852:$a: NanoCore 0x15877:$a: NanoCore 0x158d0:$a: NanoCore 0x25aeb:$a: NanoCore 0x25b11:$a: NanoCore 0x25b6d:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x15649:$b: ClientPlugin 0x1565a:$b: ClientPlugin 0x1568a:$b: ClientPlugin 0x1585b:$b: ClientPlugin 0x15880:$b: ClientPlugin 0x25827:$b: ClientPlugin 0x2583e:$b: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x15877:$a1: NanoCore.ClientPluginHost 0x25b11:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x15852:$a2: NanoCore.ClientPlugin 0x25aeb:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19214:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x15868:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x25b2b:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e55:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e82:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e55:$x2: NanoCore.ClientPluginHost 0x15e24:$s2: FileCommand 0x6a6b:$s4: PipeCreated 0x1a826:$s4: PipeCreated 0x14e6f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e2f:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e55:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x14e20:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x14e45:$i5: IClientDataHost 0x14e6f:$i6: IClientLoggingHost 0x4be5:$i7: IClientNetworkHost 0x14e82:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x14e95:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin 0x14bb2:$s1: ClientPlugin 0x14e38:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14e55:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14e2f:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost 0x14e6f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0x7675:$x1: NanoCore.ClientPluginHost 0x11cc7:$x1: NanoCore.ClientPluginHost 0x1c137:$x1: NanoCore.ClientPluginHost 0x2715d:$x1: NanoCore.ClientPluginHost 0x32f47:$x1: NanoCore.ClientPluginHost 0x3ed06:$x1: NanoCore.ClientPluginHost 0x76ae:$x2: IClientNetworkHost 0x11e24:$x2: IClientNetworkHost 0x1c170:$x2: IClientNetworkHost 0x27177:$x2: IClientNetworkHost 0x32f61:$x2: IClientNetworkHost 0x3ed43:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x7675:$x2: NanoCore.ClientPluginHost 0x11cc7:$x2: NanoCore.ClientPluginHost 0x1c137:$x2: NanoCore.ClientPluginHost 0x2715d:$x2: NanoCore.ClientPluginHost 0x32f47:$x2: NanoCore.ClientPluginHost 0x3ed06:$x2: NanoCore.ClientPluginHost 0x12c1d:$s3: PipeExists 0x1486:$s4: PipeCreated 0x7790:$s4: PipeCreated 0x11ebd:$s4: PipeCreated 0x1c282:$s4: PipeCreated 0x28192:$s4: PipeCreated 0x34cf2:$s4: PipeCreated 0x42159:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost 0x768f:$s5: IClientLoggingHost 0x11ce1:$s5: IClientLoggingHost 0x1c151:$s5: IClientLoggingHost 0x2714a:$s5: IClientLoggingHost 0x32f34:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x76ef:$x2: NanoCore.ClientPlugin 0x11db1:$x2: NanoCore.ClientPlugin 0x1c1d7:$x2: NanoCore.ClientPlugin 0x27134:$x2: NanoCore.ClientPlugin 0x32f1e:$x2: NanoCore.ClientPlugin 0x3ece1:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x7675:$x3: NanoCore.ClientPluginHost 0x11cc7:$x3: NanoCore.ClientPluginHost 0x1c137:$x3: NanoCore.ClientPluginHost 0x2715d:$x3: NanoCore.ClientPluginHost 0x32f47:$x3: NanoCore.ClientPluginHost 0x3ed06:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x7705:$i3: IClientNetwork 0x11dc7:$i3: IClientNetwork 0x1c1ed:$i3: IClientNetwork 0x27125:$i3: IClientNetwork 0x32f0f:$i3: IClientNetwork 0x3ecd2:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7675:$a: NanoCore 0x76ef:$a: NanoCore 0x11cc7:$a: NanoCore 0x11db1:$a: NanoCore 0x12c28:$a: NanoCore 0x1be17:$a: NanoCore 0x1be78:$a: NanoCore 0x1bebb:$a: NanoCore 0x1befb:$a: NanoCore 0x1c137:$a: NanoCore 0x1c1d7:$a: NanoCore 0x1c9af:$a: NanoCore 0x1cfa2:$a: NanoCore 0x1d0f3:$a: NanoCore 0x1df4d:$a: NanoCore 0x1e1b4:$a: NanoCore 0x1e1c9:$a: NanoCore 0x1e1e8:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x7675:$a1: NanoCore.ClientPluginHost 0x11cc7:$a1: NanoCore.ClientPluginHost 0x1c137:$a1: NanoCore.ClientPluginHost 0x2715d:$a1: NanoCore.ClientPluginHost 0x32f47:$a1: NanoCore.ClientPluginHost 0x3ed06:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x76ef:$a2: NanoCore.ClientPlugin 0x11db1:$a2: NanoCore.ClientPlugin 0x1c1d7:$a2: NanoCore.ClientPlugin 0x27134:$a2: NanoCore.ClientPlugin 0x32f1e:$a2: NanoCore.ClientPlugin 0x3ece1:$a2: NanoCore.ClientPlugin 0x3ecf7:$b4: IClientAppHost 0x7e10:$b7: LogClientException 0x1360a:$b7: LogClientException 0x1cf2d:$b7: LogClientException 0x35290:$b7: LogClientException 0x431e6:$b7: LogClientException 0x12c1d:$b8: PipeExists
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0xcc1c:$x1: NanoCore.ClientPluginHost 0x12ee9:$x1: NanoCore.ClientPluginHost 0x1d53b:$x1: NanoCore.ClientPluginHost 0x279ab:$x1: NanoCore.ClientPluginHost 0x329d1:$x1: NanoCore.ClientPluginHost 0x3e7bb:$x1: NanoCore.ClientPluginHost 0x4a57a:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0x12f22:$x2: IClientNetworkHost 0x1d698:$x2: IClientNetworkHost 0x279e4:$x2: IClientNetworkHost 0x329eb:$x2: IClientNetworkHost 0x3e7d5:$x2: IClientNetworkHost 0x4a5b7:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0xcc1c:$x2: NanoCore.ClientPluginHost 0x12ee9:$x2: NanoCore.ClientPluginHost 0x1d53b:$x2: NanoCore.ClientPluginHost 0x279ab:$x2: NanoCore.ClientPluginHost 0x329d1:$x2: NanoCore.ClientPluginHost 0x3e7bb:$x2: NanoCore.ClientPluginHost 0x4a57a:$x2: NanoCore.ClientPluginHost 0x1e491:$s3: PipeExists 0x5c0f:$s4: PipeCreated 0xccfa:$s4: PipeCreated 0x13004:$s4: PipeCreated 0x1d731:$s4: PipeCreated 0x27af6:$s4: PipeCreated 0x33a06:$s4: PipeCreated 0x40566:$s4: PipeCreated 0x4d9cd:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost 0xcc36:$s5: IClientLoggingHost 0x12f03:$s5: IClientLoggingHost 0x1d555:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0xcc66:$x2: NanoCore.ClientPlugin 0x12f63:$x2: NanoCore.ClientPlugin 0x1d625:$x2: NanoCore.ClientPlugin 0x27a4b:$x2: NanoCore.ClientPlugin 0x329a8:$x2: NanoCore.ClientPlugin 0x3e792:$x2: NanoCore.ClientPlugin 0x4a555:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0xcc1c:$x3: NanoCore.ClientPluginHost 0x12ee9:$x3: NanoCore.ClientPluginHost 0x1d53b:$x3: NanoCore.ClientPluginHost 0x279ab:$x3: NanoCore.ClientPluginHost 0x329d1:$x3: NanoCore.ClientPluginHost 0x3e7bb:$x3: NanoCore.ClientPluginHost 0x4a57a:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0xcc7c:$i3: IClientNetwork 0x12f79:$i3: IClientNetwork 0x1d63b:$i3: IClientNetwork 0x27a61:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xcc1c:$a: NanoCore 0xcc66:$a: NanoCore 0xd8c0:$a: NanoCore 0x12ee9:$a: NanoCore 0x12f63:$a: NanoCore 0x1d53b:$a: NanoCore 0x1d625:$a: NanoCore 0x1e49c:$a: NanoCore 0x2768b:$a: NanoCore 0x276ec:$a: NanoCore 0x2772f:$a: NanoCore 0x2776f:$a: NanoCore 0x279ab:$a: NanoCore 0x27a4b:$a: NanoCore 0x28223:$a: NanoCore 0x28816:$a: NanoCore 0x28967:$a: NanoCore 0x297c1:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0xcc1c:$a1: NanoCore.ClientPluginHost 0x12ee9:$a1: NanoCore.ClientPluginHost 0x1d53b:$a1: NanoCore.ClientPluginHost 0x279ab:$a1: NanoCore.ClientPluginHost 0x329d1:$a1: NanoCore.ClientPluginHost 0x3e7bb:$a1: NanoCore.ClientPluginHost 0x4a57a:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0xcc66:$a2: NanoCore.ClientPlugin 0x12f63:$a2: NanoCore.ClientPlugin 0x1d625:$a2: NanoCore.ClientPlugin 0x27a4b:$a2: NanoCore.ClientPlugin 0x329a8:$a2: NanoCore.ClientPlugin 0x3e792:$a2: NanoCore.ClientPlugin 0x4a555:$a2: NanoCore.ClientPlugin 0x4a56b:$b4: IClientAppHost 0x6710:$b7: LogClientException 0x13684:$b7: LogClientException 0x1ee7e:$b7: LogClientException 0x287a1:$b7: LogClientException
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x12688:$x1: NanoCore.ClientPluginHost 0x18955:$x1: NanoCore.ClientPluginHost 0x22fa7:$x1: NanoCore.ClientPluginHost 0x2d417:$x1: NanoCore.ClientPluginHost 0x3843d:$x1: NanoCore.ClientPluginHost 0x44227:$x1: NanoCore.ClientPluginHost 0x4ffe6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1898e:$x2: IClientNetworkHost 0x23104:$x2: IClientNetworkHost 0x2d450:$x2: IClientNetworkHost 0x38457:$x2: IClientNetworkHost 0x44241:$x2: IClientNetworkHost 0x50023:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x12688:$x2: NanoCore.ClientPluginHost 0x18955:$x2: NanoCore.ClientPluginHost 0x22fa7:$x2: NanoCore.ClientPluginHost 0x2d417:$x2: NanoCore.ClientPluginHost 0x3843d:$x2: NanoCore.ClientPluginHost 0x44227:$x2: NanoCore.ClientPluginHost 0x4ffe6:$x2: NanoCore.ClientPluginHost 0x23efd:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x12766:$s4: PipeCreated 0x18a70:$s4: PipeCreated 0x2319d:$s4: PipeCreated 0x2d562:$s4: PipeCreated 0x39472:$s4: PipeCreated 0x45fd2:$s4: PipeCreated 0x53439:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5f3:$x2: NanoCore.ClientPlugin 0x126d2:$x2: NanoCore.ClientPlugin 0x189cf:$x2: NanoCore.ClientPlugin 0x23091:$x2: NanoCore.ClientPlugin 0x2d4b7:$x2: NanoCore.ClientPlugin 0x38414:$x2: NanoCore.ClientPlugin 0x441fe:$x2: NanoCore.ClientPlugin 0x4ffc1:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb577:$x3: NanoCore.ClientPluginHost 0x12688:$x3: NanoCore.ClientPluginHost 0x18955:$x3: NanoCore.ClientPluginHost 0x22fa7:$x3: NanoCore.ClientPluginHost 0x2d417:$x3: NanoCore.ClientPluginHost 0x3843d:$x3: NanoCore.ClientPluginHost 0x44227:$x3: NanoCore.ClientPluginHost 0x4ffe6:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb609:$i3: IClientNetwork 0x126e8:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x12688:$a: NanoCore 0x126d2:$a: NanoCore 0x1332c:$a: NanoCore 0x18955:$a: NanoCore 0x189cf:$a: NanoCore 0x22fa7:$a: NanoCore 0x23091:$a: NanoCore 0x23f08:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb577:$a1: NanoCore.ClientPluginHost 0x12688:$a1: NanoCore.ClientPluginHost 0x18955:$a1: NanoCore.ClientPluginHost 0x22fa7:$a1: NanoCore.ClientPluginHost 0x2d417:$a1: NanoCore.ClientPluginHost 0x3843d:$a1: NanoCore.ClientPluginHost 0x44227:$a1: NanoCore.ClientPluginHost 0x4ffe6:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5f3:$a2: NanoCore.ClientPlugin 0x126d2:$a2: NanoCore.ClientPlugin 0x189cf:$a2: NanoCore.ClientPlugin 0x23091:$a2: NanoCore.ClientPlugin 0x2d4b7:$a2: NanoCore.ClientPlugin 0x38414:$a2: NanoCore.ClientPlugin 0x441fe:$a2: NanoCore.ClientPlugin 0x4ffc1:$a2: NanoCore.ClientPlugin 0x4ffd7:$b4: IClientAppHost 0xc17c:$b7: LogClientException 0x190f0:$b7: LogClientException
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x32eaf:$x2: NanoCore.ClientPlugin 0x3916a:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xa1e71:$x2: NanoCore.ClientPlugin 0xb55e7:$x2: NanoCore.ClientPlugin 0xc3231:$x2: NanoCore.ClientPlugin 0xd344c:$x2: NanoCore.ClientPlugin 0xe0657:$x2: NanoCore.ClientPlugin 0xe5d18:$x2: NanoCore.ClientPlugin 0xebfd1:$x2: NanoCore.ClientPlugin 0xf6650:$x2: NanoCore.ClientPlugin 0x100a31:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x32e65:$a1: NanoCore.ClientPluginHost 0x390f0:$a1: NanoCore.ClientPluginHost 0x43701:$a1: NanoCore.ClientPluginHost 0x4db2e:$a1: NanoCore.ClientPluginHost 0x58b0d:$a1: NanoCore.ClientPluginHost 0x648b1:$a1: NanoCore.ClientPluginHost 0x897b7:$a1: NanoCore.ClientPluginHost 0x98bf9:$a1: NanoCore.ClientPluginHost 0xa1eae:$a1: NanoCore.ClientPluginHost 0xb561c:$a1: NanoCore.ClientPluginHost 0xc3256:$a1: NanoCore.ClientPluginHost 0xd3472:$a1: NanoCore.ClientPluginHost 0xe05db:$a1: NanoCore.ClientPluginHost 0xe5cce:$a1: NanoCore.ClientPluginHost 0xebf57:$a1: NanoCore.ClientPluginHost 0xf6566:$a1: NanoCore.ClientPluginHost 0x100991:$a1: NanoCore.ClientPluginHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1329dd:$x1: NanoCore.ClientPluginHost 0x132a1a:$x2: IClientNetworkHost 0x13654d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x132745:$x1: NanoCore Client 0x132755:$x1: NanoCore Client 0x13299d:$x2: NanoCore.ClientPlugin 0x1329dd:$x3: NanoCore.ClientPluginHost 0x132992:$i1: IClientApp 0x1329b3:$i2: IClientData 0x1329bf:$i3: IClientNetwork 0x1329ce:$i4: IClientAppHost 0x1329f7:$i5: IClientDataHost 0x132a07:$i6: IClientLoggingHost 0x132a1a:$i7: IClientNetworkHost 0x132a2d:$i8: IClientUIHost 0x132a3b:$i9: IClientNameObjectCollection 0x132a57:$i10: IClientReadOnlyNameObjectCollection 0x1327a4:$s1: ClientPlugin 0x1329a6:$s1: ClientPlugin 0x132e9a:$s2: EndPoint 0x132ea3:$s3: IPAddress 0x132ead:$s4: IPEndPoint 0x1348e3:$s6: get_ClientSettings 0x134e87:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x132745:$a: NanoCore 0x132755:$a: NanoCore 0x132989:$a: NanoCore 0x13299d:$a: NanoCore 0x1329dd:$a: NanoCore 0x1327a4:$b: ClientPlugin 0x1329a6:$b: ClientPlugin 0x1329e6:$b: ClientPlugin 0x1328cb:$c: ProjectData 0x24aaa9:$c: ProjectData 0x28d481:$c: ProjectData 0x1332d2:$d: DESCrypto 0x13ac9e:$e: KeepAlive 0x138c8c:$g: LogClientMessage 0x134e87:$i: get_Connected 0x133608:$j: #=q 0x133638:$j: #=q 0x133654:$j: #=q 0x133684:$j: #=q 0x1336a0:$j: #=q 0x1336bc:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1329dd:$a1: NanoCore.ClientPluginHost 0x13299d:$a2: NanoCore.ClientPlugin 0x1348f6:$b1: get_BuilderSettings 0x1327f9:$b2: ClientLoaderForm.resources 0x134016:$b3: PluginCommand 0x1329ce:$b4: IClientAppHost 0x13ce4e:$b5: GetBlockHash 0x134f4e:$b6: AddHostEntry 0x138c41:$b7: LogClientException 0x134ebb:$b8: PipeExists 0x132a07:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x1264e:$x2: NanoCore.ClientPlugin 0x18909:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x81610:$x2: NanoCore.ClientPlugin 0x94d86:$x2: NanoCore.ClientPlugin 0xa29d0:$x2: NanoCore.ClientPlugin 0xb2beb:$x2: NanoCore.ClientPlugin 0xbfdf6:$x2: NanoCore.ClientPlugin 0xc54b7:$x2: NanoCore.ClientPlugin 0xcb770:$x2: NanoCore.ClientPlugin 0xd5def:$x2: NanoCore.ClientPlugin 0xe01d0:$x2: NanoCore.ClientPlugin 0xeb0e4:$x2: NanoCore.ClientPlugin 0xf6e86:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x12604:$a1: NanoCore.ClientPluginHost 0x1888f:$a1: NanoCore.ClientPluginHost 0x22ea0:$a1: NanoCore.ClientPluginHost 0x2d2cd:$a1: NanoCore.ClientPluginHost 0x382ac:$a1: NanoCore.ClientPluginHost 0x44050:$a1: NanoCore.ClientPluginHost 0x68f56:$a1: NanoCore.ClientPluginHost 0x78398:$a1: NanoCore.ClientPluginHost 0x8164d:$a1: NanoCore.ClientPluginHost 0x94dbb:$a1: NanoCore.ClientPluginHost 0xa29f5:$a1: NanoCore.ClientPluginHost 0xb2c11:$a1: NanoCore.ClientPluginHost 0xbfd7a:$a1: NanoCore.ClientPluginHost 0xc546d:$a1: NanoCore.ClientPluginHost 0xcb6f6:$a1: NanoCore.ClientPluginHost 0xd5d05:$a1: NanoCore.ClientPluginHost 0xe0130:$a1: NanoCore.ClientPluginHost 0xeb10d:$a1: NanoCore.ClientPluginHost 0xf6eaf:$a1: NanoCore.ClientPluginHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x26c7b:$x2: NanoCore.ClientPlugin 0x2cf36:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0x95c3d:$x2: NanoCore.ClientPlugin 0xa93b3:$x2: NanoCore.ClientPlugin 0xb6ffd:$x2: NanoCore.ClientPlugin 0xc7218:$x2: NanoCore.ClientPlugin 0xd4423:$x2: NanoCore.ClientPlugin 0xd9ae4:$x2: NanoCore.ClientPlugin 0xdfd9d:$x2: NanoCore.ClientPlugin 0xea41c:$x2: NanoCore.ClientPlugin 0xf47fd:$x2: NanoCore.ClientPlugin 0xff711:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x26c31:$a1: NanoCore.ClientPluginHost 0x2cebc:$a1: NanoCore.ClientPluginHost 0x374cd:$a1: NanoCore.ClientPluginHost 0x418fa:$a1: NanoCore.ClientPluginHost 0x4c8d9:$a1: NanoCore.ClientPluginHost 0x5867d:$a1: NanoCore.ClientPluginHost 0x7d583:$a1: NanoCore.ClientPluginHost 0x8c9c5:$a1: NanoCore.ClientPluginHost 0x95c7a:$a1: NanoCore.ClientPluginHost 0xa93e8:$a1: NanoCore.ClientPluginHost 0xb7022:$a1: NanoCore.ClientPluginHost 0xc723e:$a1: NanoCore.ClientPluginHost 0xd43a7:$a1: NanoCore.ClientPluginHost 0xd9a9a:$a1: NanoCore.ClientPluginHost 0xdfd23:$a1: NanoCore.ClientPluginHost 0xea332:$a1: NanoCore.ClientPluginHost 0xf475d:$a1: NanoCore.ClientPluginHost 0xff73a:$a1: NanoCore.ClientPluginHost
Click to see the 267 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ProcessId: 4128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" , ParentImage: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ParentProcessId: 3256, ParentProcessName: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, ProcessId: 1592, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 37.139.129.71 - Destination IP: 192.168.2.4

Timestamp:	37.139.129.71192.168.2.47712496982841753 10/01/22-12:42:35.121312
SID:	2841753
Source Port:	7712
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 37.139.129.71

Timestamp:	192.168.2.437.139.129.714969877122025019 10/01/22-12:42:30.424505
SID:	2025019
Source Port:	49698
Destination Port:	7712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 37.139.129.71

Timestamp:	192.168.2.437.139.129.714969877122816766 10/01/22-12:42:35.951752
SID:	2816766
Source Port:	49698
Destination Port:	7712
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	ReversingLabs: Detection: 34%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Virustotal: Detection: 30%			Perma Link

Antivirus detection for URL or domain

Source: godisgood1.hopto.org	Avira URL Cloud: Label: malware
Source: 185.225.73.164	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: godisgood1.hopto.org	Virustotal: Detection: 13%			Perma Link
Source: godisgood1.hopto.org	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\JLsbuY.exe	ReversingLabs: Detection: 36%

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Machine Learning detection for sample

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\JLsbuY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Avira: Label: TR/NanoCore.fadte
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bcd7727e-ef56-4958-8ed9-949f5c5e", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "185.225.73.164", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Code function: 4x nop then lea esp, dword ptr [ebp-04h]

3_2_0657B7A1

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 37.139.129.71:7712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 37.139.129.71:7712
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 37.139.129.71:7712 -> 192.168.2.4:49698

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: godisgood1.hopto.org
Source: Malware configuration extractor	URLs: 185.225.73.164

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

IP Address: 37.139.129.71 37.139.129.71

Source: global traffic

TCP traffic: 192.168.2.4:49698 -> 37.139.129.71:7712

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303119536.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000A.00000002.480986509.0000000002974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.~SBIm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312451749.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311387611.0000000005518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFV
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomFH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdd
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comepkoH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comS
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comibi
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comic
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303629841.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comical
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.c
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307654597.000000000551B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307572542.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#H4
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307564401.0000000005514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/om
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnT
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnoH%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-f
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303715113.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303588332.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303452217.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303515704.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comn-u
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krXH.
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krend
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comc
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304268623.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304202190.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comn
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deJ(
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.derT
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: godisgood1.hopto.org

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.345324035.000000000092B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

.NET source code contains very large strings

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, MRU.cs	Long String: Length: 129663
Source: JLsbuY.exe.0.dr, MRU.cs	Long String: Length: 129663
Source: 0.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.110000.0.unpack, MRU.cs	Long String: Length: 129663
Source: dhcpmon.exe.3.dr, MRU.cs	Long String: Length: 129663

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 1680, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 2068, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248E710	0_2_0248E710
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248E720	0_2_0248E720
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248C414	0_2_0248C414
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_06CEE6B0	0_2_06CEE6B0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0E480	3_2_04E0E480
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0E471	3_2_04E0E471
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0BBD4	3_2_04E0BBD4
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F5F5F8	3_2_04F5F5F8
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F59788	3_2_04F59788
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F5A610	3_2_04F5A610
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06579238	3_2_06579238
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06570040	3_2_06570040
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06577F78	3_2_06577F78
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06578CB0	3_2_06578CB0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_065792F6	3_2_065792F6

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	ReversingLabs: Detection: 34%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File read: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Jump to behavior

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe"
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Users\user\AppData\Roaming\JLsbuY.exe

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@3/1

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{bcd7727e-ef56-4958-8ed9-949f5c5ea8f6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_01

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static file information: File size 1189376 > 1048576

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x121000

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD8DEC push E801005Eh; retf	0_2_04AD8E01
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04ADB200 pushfd ; retf	0_2_04ADB201
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD1FE7 push eax; mov dword ptr [esp], ecx	0_2_04AD1FFC
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD1FF8 push eax; mov dword ptr [esp], ecx	0_2_04AD1FFC
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F569F8 pushad ; retf	3_2_04F569F9
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F569FA push esp; retf	3_2_04F56A01
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_0657A3F0 push ds; iretd	3_2_0657A3FE
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_0657BE00 push es; retf	3_2_0657CC8C

Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402
Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402
Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe	Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: C:\Users\user\AppData\Roaming\JLsbuY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File opened: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2068, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 3996	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 6048	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 6052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5336	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: threadDelayed 9216	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: foregroundWindowGot 440	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: foregroundWindowGot 384	Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.468982131.0000000007333000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000009.00000002.445842687.00000000012CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:m
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Code function: 3_2_065739C0 LdrInitializeThunk,

3_2_065739C0

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Memory written: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Memory written: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.578822012.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580163177.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595087597.000000000768E000.00000004.00000010.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592546991.000000000653D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595175494.000000000798E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593174195.0000000006A7E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager X

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	21 Input Capture	21 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	31%	Virustotal		Browse
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\JLsbuY.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\JLsbuY.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	100%	Avira	TR/NanoCore.fadte		Download File
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
godisgood1.hopto.org	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cnT	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnr-f	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comituF	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.tiro.comc	0%	URL Reputation	safe
godisgood1.hopto.org	14%	Virustotal		Browse
http://www.fontbureau.comFV	0%	Avira URL Cloud	safe
http://www.fonts.comibi	0%	Avira URL Cloud	safe
http://www.fontbureau.comepkoH	0%	Avira URL Cloud	safe
godisgood1.hopto.org	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cnsH	0%	Avira URL Cloud	safe
http://www.agfamonotype.~SBIm	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn#H4	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomFH	0%	Avira URL Cloud	safe
http://www.fontbureau.comdd	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/om	0%	Avira URL Cloud	safe
http://www.fonts.comS	0%	Avira URL Cloud	safe
185.225.73.164	100%	Avira URL Cloud	malware
http://www.urwpp.derT	0%	Avira URL Cloud	safe
http://www.urwpp.deJ(	0%	Avira URL Cloud	safe
http://www.fonts.comical	0%	Avira URL Cloud	safe
http://www.sandoll.co.krXH.	0%	Avira URL Cloud	safe
http://www.sandoll.co.krend	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnoH%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
godisgood1.hopto.org	37.139.129.71	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
godisgood1.hopto.org	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
185.225.73.164	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comFV	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnsH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comn-u	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnT	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.fontbureau.comepkoH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comiona	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303715113.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303588332.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303452217.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303515704.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comibi	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.~SBIm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000A.00000002.480986509.0000000002974000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn#H4	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/om	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307564401.0000000005514000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnr-f	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311387611.0000000005518000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.c	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304268623.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304202190.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdd	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomFH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comS	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303119536.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.derT	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comituF	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307654597.000000000551B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307572542.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deJ(	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/frere-user.html	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comical	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303629841.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312451749.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.krXH.	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.krend	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comc	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnoH%	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.139.129.71	godisgood1.hopto.org	Germany		10753	LVLT-10753US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	714049
Start date and time:	2022-10-01 12:41:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 169 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:42:11	API Interceptor	724x Sleep call for process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe modified
12:42:23	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" s>$(Arg0)
12:42:24	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
12:42:26	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
12:42:54	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
37.139.129.71	HbLvbvoRGy.exe	Get hash	malicious	Browse
	7IcZgRDScI.exe	Get hash	malicious	Browse
	1p1zjEapac.exe	Get hash	malicious	Browse
	dSgT0bXySX.exe	Get hash	malicious	Browse
	6myXWYz7OB.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
godisgood1.hopto.org	BL No.KTOHRYGN2202 (SURRENDERED BL).exe	Get hash	malicious	Browse	185.225.73.164
	SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe	Get hash	malicious	Browse	185.225.73.164
	CV.exe	Get hash	malicious	Browse	185.225.73.164
	SecuriteInfo.com.W32.AIDetectNet.01.5406.16871.exe	Get hash	malicious	Browse	185.225.73.164
	SecuriteInfo.com.W32.AIDetectNet.01.20138.17534.exe	Get hash	malicious	Browse	185.225.73.164
	DISCHARGE CERTIFICATE 25.08.2022.exe	Get hash	malicious	Browse	185.225.73.164
	SecuriteInfo.com.W32.AIDetectNet.01.28680.exe	Get hash	malicious	Browse	185.225.73.164
	RFQ No. 6000091641.exe	Get hash	malicious	Browse	185.225.73.164
	HSS.exe	Get hash	malicious	Browse	2.56.59.46
	uI81n5kpR3.exe	Get hash	malicious	Browse	2.56.57.143
	Mj7iuWXSYN.xlsx	Get hash	malicious	Browse	2.56.57.143
	5vKNZrbp4s.exe	Get hash	malicious	Browse	2.56.57.143
	T6k46JoFBs.exe	Get hash	malicious	Browse	37.0.11.250
	ALP.exe	Get hash	malicious	Browse	185.174.101.21
	INVOICE = 212888585 .xlsx	Get hash	malicious	Browse	103.147.184.84
	kGIBTCae7v.exe	Get hash	malicious	Browse	103.156.91.208
	Vs57n7RHgP.exe	Get hash	malicious	Browse	103.156.91.208
	v5rJN9eflV.exe	Get hash	malicious	Browse	103.89.90.65
	VzzCzKHwT5.exe	Get hash	malicious	Browse	103.167.85.222
	TT COPY.xlsx	Get hash	malicious	Browse	103.167.85.222

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LVLT-10753US	W9CVetN5r3.elf	Get hash	malicious	Browse	148.57.62.62
	7140765CD0D5F61BB453F0511E24786E21D950C2CB3B3.exe	Get hash	malicious	Browse	193.56.146.36
	Revised PO-2022092903_________________________.exe	Get hash	malicious	Browse	185.252.178.35
	YVw7dMcj8V.exe	Get hash	malicious	Browse	37.139.129.221
	Revised PO-2022091803____________________________.vbs	Get hash	malicious	Browse	185.252.178.35
	ieI2DZPujw.exe	Get hash	malicious	Browse	37.139.129.221
	Swift Copy.exe	Get hash	malicious	Browse	185.252.178.35
	image001.exe	Get hash	malicious	Browse	185.252.178.35
	7xcnQ2Jwq7.exe	Get hash	malicious	Browse	185.252.178.116
	Shipping Documents.exe	Get hash	malicious	Browse	185.252.178.35
	New Order.exe	Get hash	malicious	Browse	185.252.178.35
	Shipment Document BL,INV and packing list.jpg.exe	Get hash	malicious	Browse	37.139.129.142
	arm6-20220925-1655.elf	Get hash	malicious	Browse	185.252.178.48
	xf2HwbP8Tn.elf	Get hash	malicious	Browse	185.252.178.159
	C4Loader.exe	Get hash	malicious	Browse	37.139.129.113
	BPL_1000572_007.bat.exe	Get hash	malicious	Browse	185.252.178.63
	Specifications_Details_RFQ.exe	Get hash	malicious	Browse	185.252.178.63
	Specifications_Details_350_RFQ.exe	Get hash	malicious	Browse	185.252.178.63
	image001.exe	Get hash	malicious	Browse	185.252.178.35
	Specifications_Details_30200_RFQ.exe	Get hash	malicious	Browse	185.252.178.63

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189376
Entropy (8bit):	6.94809823392214
Encrypted:	false
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
MD5:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
SHA1:	1FB0C57D1EA566B703BE21A5DD2334166F5A918E
SHA-256:	F360431BC55CE6BBBD77F26A9BCB86B6267C3B82220D06EE4C67B44BE2273735
SHA-512:	18401E658D3D97A845D8ED05A750EB702337D9C4E1D25CCEDC5A6024BEB09CC333668C6F16A60E11523E79908DCD5D7D439A396724B9D5329D44648F6996FDC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@.....................................O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B........................H........Q..dq......B........k............................................(....&..(......s ........s!........s"........s#........s$...........0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0..<........~.....(.....,!r...p.....(+...o,...s-............~.....+...0...........~.....+.."........0..&........(....r#..p~....o....(/.....t$....+..*...0..&........(....r5..p~....o....(/.....

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.log

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp2889.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp2B48.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp63CD.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp690.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	5.131538419856332
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y8dxtn:cbk4oL600QydbQxIYODOLedq3odj
MD5:	B9DEE575F2B0ACDC2037D92C74DC29BB
SHA1:	037CA9A5B3612ADEB251AE4D780CD0D0C5053DCB
SHA-256:	8036080B940A7BD8C425649914CCBBA4A4DCF3AABA3023DFAD249BD89F36F4F7
SHA-512:	3970ADE224745201DC6C3FB65E57083B136C53088B212FF1F801388876BB7A3B744B777A1138673BC294614244BA564F39499C865F437221293085BBA334C4C4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpA4B.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:DCg:z
MD5:	5A6FF3DF7B2CB03AA295AE6A3C2728C6
SHA1:	656CE7D1794A14D6E749316CBD0BD00AA2DF9D8F
SHA-256:	08F3C75923C4CC4BD40D01FB1D98198307914B0841B9CBD4008F21E4BE5323A2
SHA-512:	D55DF6007CDE0465EB462FDE244FC7707D640179C42499CC20737402E2EE19D50CC12C875531977894F403478024E15EE086FA9ECBC5A827E9378BCC43C873EA
Malicious:	true
Preview:	.;g....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	data
Category:	modified
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.867861029749889
Encrypted:	false
SSDEEP:	3:oNt+WfWk1Q9PFB8j+nXIMLWA2LN:oNwvk1QRsj+nXxix
MD5:	2D2969AF6342D4C42632BBEA0FAAB3C1
SHA1:	533268FF8603A9705BDB38DB60CB2D795E754A30
SHA-256:	B2ACA0EE9C8564A59BF6F15F82FDD183486916F18F1E333243E285A8E9957F47
SHA-512:	4C0B9ED26CBD070D9542F258957F4436F0CEECD032D3A8582708B97DF53AB536AD664195C1AAA5D24EDD983ABFA135AD90C0535C99EDFC174274F5569CFDDDE5
Malicious:	false
Preview:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

C:\Users\user\AppData\Roaming\JLsbuY.exe

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189376
Entropy (8bit):	6.94809823392214
Encrypted:	false
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
MD5:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
SHA1:	1FB0C57D1EA566B703BE21A5DD2334166F5A918E
SHA-256:	F360431BC55CE6BBBD77F26A9BCB86B6267C3B82220D06EE4C67B44BE2273735
SHA-512:	18401E658D3D97A845D8ED05A750EB702337D9C4E1D25CCEDC5A6024BEB09CC333668C6F16A60E11523E79908DCD5D7D439A396724B9D5329D44648F6996FDC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@.....................................O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B........................H........Q..dq......B........k............................................(....&..(......s ........s!........s"........s#........s$...........0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0..<........~.....(.....,!r...p.....(+...o,...s-............~.....+...0...........~.....+.."........0..&........(....r#..p~....o....(/.....t$....+..*...0..&........(....r5..p~....o....(/.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.94809823392214
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File size:	1189376
MD5:	c5ca6bf1a4d668abae8a1bd58da7fa89
SHA1:	1fb0c57d1ea566b703be21a5dd2334166f5a918e
SHA256:	f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735
SHA512:	18401e658d3d97a845d8ed05a750eb702337d9c4e1d25ccedc5a6024beb09cc333668c6f16a60e11523e79908dcd5d7d439a396724b9d5329d44648f6996fdc7
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
TLSH:	AA453A1425DA4B1EF07E8BF91BD4A4E54BFAE622A329E5FA3DE043850722F01CDC1576
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x522f16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6337A6B5 [Sat Oct 1 02:32:21 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x122ec4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x124000	0x11c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x120f1c	0x121000	False	0.6100981293252595	data	6.951369793482402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x124000	0x11c8	0x1200	False	0.3919270833333333	data	5.051703971077691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x124090	0x30c	data
RT_MANIFEST	0x1243ac	0xe15	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
37.139.129.71192.168.2.47712496982841753 10/01/22-12:42:35.121312	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	7712	49698	37.139.129.71	192.168.2.4
192.168.2.437.139.129.714969877122025019 10/01/22-12:42:30.424505	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	7712	192.168.2.4	37.139.129.71
192.168.2.437.139.129.714969877122816766 10/01/22-12:42:35.951752	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49698	7712	192.168.2.4	37.139.129.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2022 12:42:30.048540115 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.076286077 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.076489925 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.424504995 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.472449064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.546344995 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.588115931 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.755649090 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.817027092 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.916877985 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.944308996 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.950195074 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950231075 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950248957 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950268984 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950289011 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.950340033 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979064941 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979098082 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979115009 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979135990 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979155064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979173899 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979190111 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979191065 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979211092 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979238033 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979262114 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.006762028 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006822109 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006844997 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006867886 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006910086 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006932974 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006952047 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.006956100 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006979942 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007011890 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007013083 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007030964 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007036924 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007062912 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007081032 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007086992 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007117033 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007127047 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007141113 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007163048 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007180929 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034719944 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034754038 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034774065 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034780979 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034794092 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034815073 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034821987 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034836054 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034854889 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034854889 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034888029 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034893036 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034914017 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034933090 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034945011 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034950972 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034970045 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034981012 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034990072 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035008907 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035027027 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035031080 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035058022 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035059929 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035080910 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035098076 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035113096 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035115957 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035135984 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035150051 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035155058 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035173893 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035188913 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035192966 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035211086 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035223007 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035229921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035248995 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035268068 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035273075 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035300016 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063040972 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063081980 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063107967 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063133001 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063141108 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063160896 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063178062 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063193083 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063220024 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063230038 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063247919 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063277960 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063285112 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063308001 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063335896 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063344002 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063364983 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063394070 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063411951 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063420057 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063448906 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063457012 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063477039 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063505888 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063513041 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063538074 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063563108 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063587904 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063591003 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063612938 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063622952 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063640118 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063663960 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063668966 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063694000 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063720942 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063729048 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063749075 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063776016 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063782930 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063802958 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063829899 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063837051 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063857079 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063884974 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063894033 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063911915 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063939095 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063946009 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063966990 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063993931 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064001083 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064022064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064049959 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064054966 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064076900 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064104080 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064109087 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064130068 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064157009 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064163923 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064186096 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064213037 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064218044 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064239979 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064268112 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064275026 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064296961 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064327002 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064331055 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064356089 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064383030 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064400911 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.064412117 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.064450979 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092122078 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092155933 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092171907 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092190027 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092204094 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092226028 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092245102 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092263937 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092283964 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092305899 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092328072 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092346907 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092365980 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092371941 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092386007 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092405081 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092425108 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092443943 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092461109 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092462063 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092482090 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092488050 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092500925 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092511892 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092520952 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092535019 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092540026 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092559099 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092576027 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092576981 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092597008 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092611074 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092614889 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092634916 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092647076 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092653036 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092670918 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092685938 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092690945 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092710018 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092722893 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092729092 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092747927 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092763901 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092766047 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092786074 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092803001 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092803001 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092822075 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092839956 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092842102 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092859983 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092871904 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092879057 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092897892 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092916965 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092917919 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092937946 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092953920 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.092956066 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092974901 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092993021 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.092994928 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.093012094 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.093029976 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.093031883 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.093049049 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.093064070 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.093065977 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.093111038 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126379013 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126414061 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126435995 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126456976 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126477957 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126497030 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126514912 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126516104 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126539946 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126559019 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126562119 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126583099 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126584053 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126606941 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126619101 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126629114 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126651049 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126671076 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126677036 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126693010 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126712084 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126713991 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126737118 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126758099 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126763105 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126779079 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126801014 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126807928 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126837969 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126842022 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126868963 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126904964 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126925945 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126955032 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126976967 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.126990080 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.126996994 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127017975 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127032042 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127038956 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127059937 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127070904 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127079964 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127099991 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127110958 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127120018 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127141953 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127151012 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127168894 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127188921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127199888 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127209902 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127230883 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127243042 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127252102 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127271891 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127283096 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127293110 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127315998 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127326965 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127337933 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127357960 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127377987 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127377987 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127399921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127410889 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127420902 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127441883 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127454996 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127464056 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127484083 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127496004 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.127505064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.127545118 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156510115 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156546116 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156572104 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156596899 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156603098 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156621933 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156641960 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156649113 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156680107 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156685114 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156733990 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156774044 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156778097 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156797886 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156826019 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156836987 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156855106 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156882048 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156891108 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156909943 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156935930 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156963110 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.156965017 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.156996012 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157001019 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157023907 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157052040 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157058001 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157078981 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157107115 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157114029 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157134056 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157160997 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157181978 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157186985 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157215118 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157222986 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157242060 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157268047 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157277107 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157294989 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157322884 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157325983 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157347918 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157371998 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157387018 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157397985 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157423019 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157430887 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157449961 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157475948 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157481909 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157501936 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157527924 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157532930 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157553911 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157578945 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157586098 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157604933 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157629967 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157636881 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157658100 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157685041 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157691002 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157711029 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157737017 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157742977 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157763958 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157789946 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157798052 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157814980 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157841921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157846928 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157866001 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157892942 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157900095 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157917976 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157943964 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157953024 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.157969952 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.157998085 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158003092 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158021927 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158049107 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158056021 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158085108 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158113003 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158119917 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158139944 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158165932 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158174992 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158194065 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158220053 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158231974 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158246994 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158273935 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158282042 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158302069 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158329964 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158343077 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158355951 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158381939 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158390999 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158406973 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158433914 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158441067 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158459902 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158485889 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158497095 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.158512115 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158536911 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.158546925 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.255629063 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:32.751305103 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:32.839713097 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:35.121311903 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:35.236531019 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:35.951751947 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:36.026907921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:36.570511103 CEST	49698	7712	192.168.2.4	37.139.129.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2022 12:42:30.000255108 CEST	56572	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:30.021872997 CEST	53	56572	8.8.8.8	192.168.2.4
Oct 1, 2022 12:42:43.918507099 CEST	50911	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:43.938385010 CEST	53	50911	8.8.8.8	192.168.2.4
Oct 1, 2022 12:42:47.465024948 CEST	59683	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:47.486771107 CEST	53	59683	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2022 12:42:30.000255108 CEST	192.168.2.4	8.8.8.8	0xa928	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:43.918507099 CEST	192.168.2.4	8.8.8.8	0xa723	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:47.465024948 CEST	192.168.2.4	8.8.8.8	0x2be2	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 1, 2022 12:42:30.021872997 CEST	8.8.8.8	192.168.2.4	0xa928	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:43.938385010 CEST	8.8.8.8	192.168.2.4	0xa723	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:47.486771107 CEST	8.8.8.8	192.168.2.4	0x2be2	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:41:58
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe"
Imagebase:	0x110000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	12:42:18
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	12:42:18
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	12:42:19
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x530000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0
Imagebase:	0xcf0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	12:42:24
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	12:42:25
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	12:42:26
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x9a0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	12:42:34
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x4b0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	12:43:00
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	14
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	16
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	17
Start time:	12:43:02
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9c0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	18
Start time:	12:43:02
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xce0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	19
Start time:	12:43:15
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	20
Start time:	12:43:16
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	12:43:18
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x4f0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	150
Total number of Limit Nodes:	7

Executed Functions

Function 06CEE6B0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.379182536.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf22d6c2a25e621e937b10d05101a04630f86499c15405b2adf90c438e594e2d
Instruction ID: ecf2975df402b6ee49615e180903184289d26349cc4d6191b06fb2d7d14d0792
Opcode Fuzzy Hash: cf22d6c2a25e621e937b10d05101a04630f86499c15405b2adf90c438e594e2d
Instruction Fuzzy Hash: 4181C2B4E002198FDB48CFEAC884AAEBBB2FF89340F14902AD515BB354D7359941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6898 Relevance: 3.8, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%Ml, xrefs: 04AD68E0
$%Ml, xrefs: 04AD691A
3, xrefs: 04AD6973

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: $%Ml$$%Ml$3
API String ID: 0-2487884870
Opcode ID: 1ee89f893eec3e462f3f502c7bb9c4064bcf47c81f658e08ee1faebaa145f5e1
Instruction ID: a6aa37466ec78e36884750d4fd9a363c0640e3fd01b1cef492e2bad3dd82a175
Opcode Fuzzy Hash: 1ee89f893eec3e462f3f502c7bb9c4064bcf47c81f658e08ee1faebaa145f5e1
Instruction Fuzzy Hash: F02123306046404FC701EB79E4589AABBF6EF82214B0484ADD15ADB292DB71ED0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0158 Relevance: 2.6, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%Ml, xrefs: 04AD01A5
$%Ml, xrefs: 04AD0203

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: $%Ml$$%Ml
API String ID: 0-4130101558
Opcode ID: dcc47648177778c8952ee17f9fc9070740c97e74773816300094e25ef10c78b8
Instruction ID: 2230001c104f604b2090b7f56202c44a3cef5d3af58f087396bfa6beb4f1bda2
Opcode Fuzzy Hash: dcc47648177778c8952ee17f9fc9070740c97e74773816300094e25ef10c78b8
Instruction Fuzzy Hash: FB2192323141018FE754DF2DD894A6977E2EF99334F1981B9E50ACF7A6DA74EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6889 Relevance: 2.6, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%Ml, xrefs: 04AD68E0
$%Ml, xrefs: 04AD691A

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: $%Ml$$%Ml
API String ID: 0-4130101558
Opcode ID: e3bbaaf6955be695a815951e7b98aa831474d244a6f6de237625239b4296962d
Instruction ID: 4084934e3d43f885b91012ace01184bc4320f76a736ec659e7b98db545b705e5
Opcode Fuzzy Hash: e3bbaaf6955be695a815951e7b98aa831474d244a6f6de237625239b4296962d
Instruction Fuzzy Hash: 8B212134A002014FD701EB79D4158AABBF6EFC6204701C5B9D556EB792DF30FD0A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 02489670 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024898B6

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 08fbdd25d0d42495df623e26b3b22b0d874569714bd8f06ac7fb58edd836562e
Instruction ID: be9b86835337f42de2fd9a255f19a3f2fb493c1f377e8b96022de9e6c9896462
Opcode Fuzzy Hash: 08fbdd25d0d42495df623e26b3b22b0d874569714bd8f06ac7fb58edd836562e
Instruction Fuzzy Hash: 737111B0A10B059FD724EF2AD1447AABBF1FB88204F00892ED48AD7B50DB74E9058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0248A3B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248BB5E,?,?,?,?,?), ref: 0248BC1F

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 36eafe6f554ae7b7514459476fb5be119a8014f52d5f953a4d438976e0dcdbe7
Instruction ID: 205e3eeb40bff28a11f64a5e0f360a3d155a700682a2490f5d7d5c1c5d34af42
Opcode Fuzzy Hash: 36eafe6f554ae7b7514459476fb5be119a8014f52d5f953a4d438976e0dcdbe7
Instruction Fuzzy Hash: EF2114B5900208EFDB10DF9AD984BEEBBF8EB48324F14841AE915B3310D374A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0248BB90 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248BB5E,?,?,?,?,?), ref: 0248BC1F

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 600f01cce1b3d11b7ed2610b78b3746a15caaf3a526b7c55b56b5f8cef25e597
Instruction ID: b7846931a05411cbb9049c3c8b7d7c4a4ef233a9867d005e9f6c41d5f825575a
Opcode Fuzzy Hash: 600f01cce1b3d11b7ed2610b78b3746a15caaf3a526b7c55b56b5f8cef25e597
Instruction Fuzzy Hash: 142100B5901208AFDB10CFA9D584AEEBBF4EB48324F14841AE919A3310D778A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02488C08 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02489931,00000800,00000000,00000000), ref: 02489B42

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a53b8c61ac6dbd31a237ca28a3c490d7f3b43d7572bd236f623c9688cf485a2
Instruction ID: aefb092ace91da6b9fcc64386c146c5e1ff4a48c588d55f6e2a7c610af840db8
Opcode Fuzzy Hash: 5a53b8c61ac6dbd31a237ca28a3c490d7f3b43d7572bd236f623c9688cf485a2
Instruction Fuzzy Hash: B511FFB69002489BDB10DF9AD448BEEFBF4EB88364F14842AE519A7300C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02489AD0 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02489931,00000800,00000000,00000000), ref: 02489B42

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5abdf994590b0ad080144986996d9d03a9564aa87cb09568ed34b5af0f0197a4
Instruction ID: 29418593727fc1ff958d0ef064df23fb3efae9034ede8132706336d65f5959f6
Opcode Fuzzy Hash: 5abdf994590b0ad080144986996d9d03a9564aa87cb09568ed34b5af0f0197a4
Instruction Fuzzy Hash: 9011F2B69002099FCB10DF9AD444BDEFBF4EB88324F15842AD519A7310C779A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02489850 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024898B6

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fc203bccdc30ccf10d5e2d1af1f16cd411d96ca7ec9de09c6ccb43fdddd69b7c
Instruction ID: 1fb8922de6b05ba3138acb17994ce3d57106f0a3e535015b01cd265600e90f06
Opcode Fuzzy Hash: fc203bccdc30ccf10d5e2d1af1f16cd411d96ca7ec9de09c6ccb43fdddd69b7c
Instruction Fuzzy Hash: F811FDB6C0060A8BCB10DF9AD444BDEBBF4EB88224F14842AD419B7300C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0148 Relevance: 1.3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%Ml, xrefs: 04AD01A5

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: $%Ml
API String ID: 0-826376005
Opcode ID: 2fb62916f427723e13a2c36dedc1b2ab8c39e5ee3e90e8513ad9e22379b9eebb
Instruction ID: a4f583a965242a5f79b4bfd6b86da57c7a05554b4b6e8c4560dd852eb51ed64c
Opcode Fuzzy Hash: 2fb62916f427723e13a2c36dedc1b2ab8c39e5ee3e90e8513ad9e22379b9eebb
Instruction Fuzzy Hash: D81108363581014FD724CF29DC95AA97BD2EF8A324F0980BAE40ACF396DA34EC018790

Uniqueness

Uniqueness Score: -1.00%

Function 04AD9968 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a77089166cb4545ef83e6c97992ba598ca82d1957a18846d543308d5e93c5af
Instruction ID: e726cfd8f724db0f158b04f1e5087f3e5a53520c456fa1aa346f66790ff866db
Opcode Fuzzy Hash: 7a77089166cb4545ef83e6c97992ba598ca82d1957a18846d543308d5e93c5af
Instruction Fuzzy Hash: B9720E31A10609CFCB14EF68C854ADDB7B1FF55304F1182A9D54AAB265EF70AAC9CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0A98 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d93f4201d4091f449ea9a094835911ac45fb2ef1fcaa00151f3ebe1d3f2787
Instruction ID: f27857633b616d70ff2684b1efb39c85cb2571011e07f2dd97c079702d0873d5
Opcode Fuzzy Hash: 47d93f4201d4091f449ea9a094835911ac45fb2ef1fcaa00151f3ebe1d3f2787
Instruction Fuzzy Hash: DF42E631E14619CFDB14EF68C9846DDB7B1FF89304F1186A9D45ABB261EB30AA85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04ADB210 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc177af4008e407fa8af2f50560e9432cc7a62b6536f8d9a4aff7da0e162c8f
Instruction ID: 54424ec5382a9f802dce2aff1efe6473e7c30387a03276fb6ae56e6fd1776bd7
Opcode Fuzzy Hash: 6dc177af4008e407fa8af2f50560e9432cc7a62b6536f8d9a4aff7da0e162c8f
Instruction Fuzzy Hash: 5C220534A10214CFDB14DF69C994A9DB7F2FF88304F1585A9E90AAB361DB31ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06CE6738 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.379182536.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d29af3875750cf7dd27d2ce060fa160ae217a3cb3176d98c251ad604898bd3
Instruction ID: f3cdbb67aea6f9cf4d0c7ecd3be740d5c748b3972e216795e744702f1c2bb6f7
Opcode Fuzzy Hash: 09d29af3875750cf7dd27d2ce060fa160ae217a3cb3176d98c251ad604898bd3
Instruction Fuzzy Hash: A4F13976E10514DFCB54DFAAC8849ADBBF6FF98314B1680A9E515AB361CB30EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0A88 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9578245c20bc3cd686bda8df6ba031e7182f7e8db7d9fd28c77ab302cdc93e
Instruction ID: f6b56973bbf58dbde84d39c82b1e7acbc3eec12142f46bba185861f893bf3c03
Opcode Fuzzy Hash: ca9578245c20bc3cd686bda8df6ba031e7182f7e8db7d9fd28c77ab302cdc93e
Instruction Fuzzy Hash: 0DE1D531E046198FDB24DF68C9846EDB7B1FF49304F1586A9D45AAB261EB30BE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04AD630C Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732741b77594d93b344ee561cd966b9b64cf4b032e120bb290e655421b60be1e
Instruction ID: eab5f350786876b01e15ddb21ec14e1c50d90f807fd50a3f2482200d9426ed07
Opcode Fuzzy Hash: 732741b77594d93b344ee561cd966b9b64cf4b032e120bb290e655421b60be1e
Instruction Fuzzy Hash: 1C910F74A05208DFDB18DFB5D844AAEBFF1EF89304F1184AAE446A7251CB34AC06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6548 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4cecc9d62fe8a08040b599a0c7254825fd3fcb1e9b0169b88cb28facf99a59
Instruction ID: 7eb9cf5337b7fc3c71af70c1f6b8c252ec174dda8d162dcb1c621507e96b85b9
Opcode Fuzzy Hash: de4cecc9d62fe8a08040b599a0c7254825fd3fcb1e9b0169b88cb28facf99a59
Instruction Fuzzy Hash: 5C816C74E042189FDB18DFA9C854AEEBBF2FF89304F14812ED409AB354DB749905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADFDF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261c311f0a51bceed97a4fbe16ebf63c7d2e2a36acce1bedcef697353522a249
Instruction ID: 59f9ac74f64451e2a270ae5fdb2e56f3818124fdc7e9d0840e7cf50f0755ac6e
Opcode Fuzzy Hash: 261c311f0a51bceed97a4fbe16ebf63c7d2e2a36acce1bedcef697353522a249
Instruction Fuzzy Hash: DA41AE357005049FDB05DF64C958AAE7BF6EF89300F1180A9E906EB3A2DB39ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBD18 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad691ff55ad9d2ad1a7699cdb9bd7a6f68c56242fde7f5e7b0418d39d861a9b
Instruction ID: 45c7c3675eade3b04ede027d36796b914d56e1b71d3c7c012caea680265f261d
Opcode Fuzzy Hash: bad691ff55ad9d2ad1a7699cdb9bd7a6f68c56242fde7f5e7b0418d39d861a9b
Instruction Fuzzy Hash: DA711831B102588FDF45EBB8C58499DB7F2BF88208F158669E506AB350EB35FD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD92F8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffb78d9dca878d69993f506151f04bc4bbe57a14f28d6bb2e7a2b2415d4039b
Instruction ID: 3c0a7edd148782fa3f677436c21431eb0b3c26fc715a15b0b6b1e0f2c9c53f89
Opcode Fuzzy Hash: 8ffb78d9dca878d69993f506151f04bc4bbe57a14f28d6bb2e7a2b2415d4039b
Instruction Fuzzy Hash: 0991E77190060ADFCB41DF68C880999FBF5FF59310B15879AE819EB256EB70E985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e973f08b7e149e09f132ba6e1d7ba7e1f6940c7aa1d713a8b21c1a42e42461ec
Instruction ID: b6eb850a4585bd2178b01ccfa93c80fa8ffb2e829714afa364b0cce2612b11d6
Opcode Fuzzy Hash: e973f08b7e149e09f132ba6e1d7ba7e1f6940c7aa1d713a8b21c1a42e42461ec
Instruction Fuzzy Hash: 555100757042449FDB18EBA8C8445BF7BF6EB8A308B118169E54ADB391CB34DC068BD6

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2380 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5173af8a1388bb2bfa041952775403fe44cf29534efcc76017400faa1110788b
Instruction ID: 9df68a0e09de0f87688578dd265d2514f69bf2968345a9f1d4e2d5b9231d690c
Opcode Fuzzy Hash: 5173af8a1388bb2bfa041952775403fe44cf29534efcc76017400faa1110788b
Instruction Fuzzy Hash: 2971BD79600A008FC718DF29C598959BBF2FF89604B1589A9E54ACB372DB72EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2370 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e461dc31c304c9bd645cd4cac0fd78d967c4f6f4910717fdab2d83dc1cfd54e
Instruction ID: 50d99d68515733a59a60fdacfca78c455a50bf491319102f38a05d98518903e8
Opcode Fuzzy Hash: 8e461dc31c304c9bd645cd4cac0fd78d967c4f6f4910717fdab2d83dc1cfd54e
Instruction Fuzzy Hash: 2971CEB9600A008FC718DF29C598959BBF2FF89604B1589A9E54ACB372DB71EC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2190 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41c22031055480da5cf4b7cc56b40b50826f927a0148224b05dafc39e4202e
Instruction ID: 2529dcc3a5b5ca69acda218b2715ad9951b24710d09da7d2769e691a7e5c6105
Opcode Fuzzy Hash: 0d41c22031055480da5cf4b7cc56b40b50826f927a0148224b05dafc39e4202e
Instruction Fuzzy Hash: 2371A475A046068FCB44CF69C584A99FBF1FF4D314B1986A9E80ADB312E774E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADB208 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5d5951386750338d3cc39a50253ead8deae3c506cd58dccc1ba6086acea04b
Instruction ID: ad688ab591cf353be53377fc69695cc5bd1a9bda12324af9a204042c1063a8c9
Opcode Fuzzy Hash: 9e5d5951386750338d3cc39a50253ead8deae3c506cd58dccc1ba6086acea04b
Instruction Fuzzy Hash: E7615930A106008FDB14EF69C494B99B7E2EF89314F1685BCD91AAB3A1DB31EC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04AD5918 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe5394b07e3cc257a6340c85b945b358476e81e77ed2ab6516e9bad8221b56a
Instruction ID: 25a92199e851d229170ca29fe5a174e369904671434bff554ac1373e8b31e24d
Opcode Fuzzy Hash: ebe5394b07e3cc257a6340c85b945b358476e81e77ed2ab6516e9bad8221b56a
Instruction Fuzzy Hash: F2516270E042059FDB14EFA9C944AAFBBF5EF88304F108529D41AE7250DB74A905CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBD08 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596d29702ef51db0f5f97b168406caa233205f3747fa769acfb60c0a41bbd6ac
Instruction ID: e1d879cd6798916d32fe685b1e412b81ac4d19c944935fbf260866a4a5e3514f
Opcode Fuzzy Hash: 596d29702ef51db0f5f97b168406caa233205f3747fa769acfb60c0a41bbd6ac
Instruction Fuzzy Hash: 85513A31A102589FDF15EBB8C5449ACFBF2BF89308B158169E5069B361EB30FD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1720 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc27e041b0d163e8041ddecd0a3e9c80e484ded5143605e0368a092cc546d0c0
Instruction ID: f27dc4730d123c86515d3bc68bdef8b841dadcdf9ad700210de6eff45923e7fe
Opcode Fuzzy Hash: fc27e041b0d163e8041ddecd0a3e9c80e484ded5143605e0368a092cc546d0c0
Instruction Fuzzy Hash: B8515E35A10709CFCB04EF64D8949EDF7B6FF89314F018559E51AAB264EB70AD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBB60 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4236ae77834056371d06228d09eba5eb49611fb471a5e06ab2f1bae21da07f2
Instruction ID: f9edbb2c64958afbff962ba9cd963a99e086004c6e24ac52e5bef9f654248a9c
Opcode Fuzzy Hash: d4236ae77834056371d06228d09eba5eb49611fb471a5e06ab2f1bae21da07f2
Instruction Fuzzy Hash: 1341E2387082505FEB19A73985285BE37E69FCD618716807DDA0ACB794DF24ED0283E6

Uniqueness

Uniqueness Score: -1.00%

Function 04AD92E8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb87e9e6a865b33c29c61d02e8f270f6805924e0b4baf284dab282c5dc269ab
Instruction ID: 1bff861caf9115ff3eb2b5562d89996a3e8970a7be20fd6baed04ef42036edbb
Opcode Fuzzy Hash: bdb87e9e6a865b33c29c61d02e8f270f6805924e0b4baf284dab282c5dc269ab
Instruction Fuzzy Hash: 50512C7190070ACFCB01DF68C880999FBB5FF59310B15975AE85AEB256EB70E985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04ADF418 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7785b824caf4dff1e148344dae5c480133fe887a5473535d06b6f4436dc94c
Instruction ID: 892a988f9bff1a9854e08123287af1ff53b265c8127a0191b233729157ac8545
Opcode Fuzzy Hash: db7785b824caf4dff1e148344dae5c480133fe887a5473535d06b6f4436dc94c
Instruction Fuzzy Hash: EA41D871B10B018FDB24DF68D99166BB3F2FB48314F184A39E567CB640EB64F9488B90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADF408 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c10c66c0a6c492774cbea9cfa96ffd2b3bb35e80d33faf9fa545d78ca707b0
Instruction ID: abee20bb8f5d686d58aa30122d5c35da453b189bdbf65489bff8d775cecd2db5
Opcode Fuzzy Hash: d1c10c66c0a6c492774cbea9cfa96ffd2b3bb35e80d33faf9fa545d78ca707b0
Instruction Fuzzy Hash: 49411B75B10B018FDB24CF78D88165BB7F2BB48210B184A29E567CB645E764F9088B90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD62D4 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b7dfbc39392386bbe8f34ac0c9b486f907171075ad34ca225e26ac7f80b267
Instruction ID: 7ad9eda81b154805100ca18abdc0a5a5f6791f6e98986186f10bff7b6aaee416
Opcode Fuzzy Hash: 01b7dfbc39392386bbe8f34ac0c9b486f907171075ad34ca225e26ac7f80b267
Instruction Fuzzy Hash: 134190B5A002089FDB14EFA9C444AAFBBF5EF89314F10842DE51AE7750DB34AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE950 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ceac6d673310ccb0ffb9e2855749904a1a9534d523864093cfe1902a22cbb7d
Instruction ID: 4bf869558ac66334a785fc224d5cd4ee8e05a021fc79e0ce360a8433d8fa878f
Opcode Fuzzy Hash: 6ceac6d673310ccb0ffb9e2855749904a1a9534d523864093cfe1902a22cbb7d
Instruction Fuzzy Hash: AF418171E00614CFEB24EBB4C4546EEBBB2EF88219F544529D403BB654DB35A885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD60C7 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c52562a113fa7b5e21516354ec5a7ac5647b5a7235014702d98d1099b34bd7
Instruction ID: 14719d081fddadceeb43d12007ba5e8a1e4c083d33e56067cb34e89db1de4539
Opcode Fuzzy Hash: c4c52562a113fa7b5e21516354ec5a7ac5647b5a7235014702d98d1099b34bd7
Instruction Fuzzy Hash: AE5143B1D04208DBDB10CFA9C984ADEBBB5FF58304F648119D44ABB211D771AA4ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC650 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44e7778f4ad4955cf448d0534abcfac2c79d5628e63ef31ef538af5f26a4453
Instruction ID: ac9e9b5e70823bb90bffa1fa72e1f4c9624a9fb2480eba68b7e45d868968d1dd
Opcode Fuzzy Hash: b44e7778f4ad4955cf448d0534abcfac2c79d5628e63ef31ef538af5f26a4453
Instruction Fuzzy Hash: D3417131D10B05ABDB10EFA9D8406DDB7B2FFD5300F614629E114BB250EB707945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADCB34 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aad91328ee9c2821f775c503f749dcce2f043541e940b42ec10783641aae287
Instruction ID: bccee50b857d847ddeb1c7337d1004a9dce43e0eab1408dc71e1e6b2253f8723
Opcode Fuzzy Hash: 1aad91328ee9c2821f775c503f749dcce2f043541e940b42ec10783641aae287
Instruction Fuzzy Hash: F2315E317005048FDB24EB7DD854AAE77F6EF89625B1505AED61ACB3A0EB31EC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC660 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291904fc72e3a1a92493e8eed686fa3b02b0e436f5ca2c13fa0453646843dc51
Instruction ID: 56c891ab8299abec8795dfff12cab7a4a31fb47f86b8d87d950cc104ef102d5f
Opcode Fuzzy Hash: 291904fc72e3a1a92493e8eed686fa3b02b0e436f5ca2c13fa0453646843dc51
Instruction Fuzzy Hash: 18415D31D10B0AABDB50EFA9D84469DB7B2FF95300F614A29E114BB250EBB07985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1730 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d12734f9fec8575d61595d01da19197e2cb47f88bc15db6ddac73d23004a663
Instruction ID: 988c65088b270100235abd0fd8823a667f991a689efea65353c83736c8081c53
Opcode Fuzzy Hash: 3d12734f9fec8575d61595d01da19197e2cb47f88bc15db6ddac73d23004a663
Instruction Fuzzy Hash: 9D410034A10709CFCB04EF68C4949DDB7B6FF89304F118559D5195B364EB71A945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6995 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43f75c0c83102a1f0a05811de68f5a1560142efc0303aa70774677832f2be72
Instruction ID: 3761ed9619b0bb2c5661e509caf4e0258112353a01f7a62322e481eaa8b0c60b
Opcode Fuzzy Hash: c43f75c0c83102a1f0a05811de68f5a1560142efc0303aa70774677832f2be72
Instruction Fuzzy Hash: 7041E0B1D00209DBDB24DFAAC584ADEBBB5BF48304F658529D449BB210D771AA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD60F4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e420fedb1c6d0771c6584997d3f30be80778629232fab75c23895d7c3a4ed4c0
Instruction ID: 8a9ab6eaa595699b02b48325d0daab142df921a21db0df183e97475fde406dd2
Opcode Fuzzy Hash: e420fedb1c6d0771c6584997d3f30be80778629232fab75c23895d7c3a4ed4c0
Instruction Fuzzy Hash: C541E1B1D00208DBDB10DFAAC584ADEBBB5FF48304F658529E449BB210D771AA4ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2180 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48159335375dbde1540aa5eb4e784a181d77e17bcfd6e045734be638eb449cd
Instruction ID: ef68f1a5908f4df7fc56ca9dd415d42cfd81f9d21cec7f50b0d489dfcaec3ea2
Opcode Fuzzy Hash: b48159335375dbde1540aa5eb4e784a181d77e17bcfd6e045734be638eb449cd
Instruction Fuzzy Hash: 9F413975A042068FC715CF68C584AA9FBF1FF49310B1586AAE80ADB362E730F845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADD8D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0265127f918134537aed5a816c21e3ed00c8449545811a154b2fd5fd7b60f47
Instruction ID: ae663e6fd8a429408880cf235259d68476255d603d558cc5f491983ba23a6f19
Opcode Fuzzy Hash: f0265127f918134537aed5a816c21e3ed00c8449545811a154b2fd5fd7b60f47
Instruction Fuzzy Hash: C031D4713106008FE730DF28C485A6AB7F6FB84754B144E6AE097CBA68D772F9448B91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD590C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d74382ccf2c8e9a55dd770ec1c56ca7055efd8602909b58019d6b8bbbb67a80
Instruction ID: 46155dc35069eee17b30b1095152416fca9ee56d5bddec702ed8f697d45fe488
Opcode Fuzzy Hash: 2d74382ccf2c8e9a55dd770ec1c56ca7055efd8602909b58019d6b8bbbb67a80
Instruction Fuzzy Hash: 7F41BFB4D042589BDB14CF9AC884ADEFBB5FF88314F24822AE419AB210D7746845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1628 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ff708af0f03967c0edc69d1714e236468d91a93b4b5b06693451dcd0600951
Instruction ID: 7859e24dc4f7c6f8e8bad6cd7a4e96efeb6eb33f6833e191dc18616d2342d4d7
Opcode Fuzzy Hash: d6ff708af0f03967c0edc69d1714e236468d91a93b4b5b06693451dcd0600951
Instruction Fuzzy Hash: FF316735B002199FCF04EBA4D9548EDB7F6FF88215B058269E406AB364EF75BD46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06CE4700 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.379182536.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd825dca71e2b10a61e047bc80678cefcb3162f6c482743fbfcce4258339a6d
Instruction ID: c1598f07371602ebe0e4bcfd715a81fa0cf24d2effe2b22904cfb8eca95feb14
Opcode Fuzzy Hash: 2bd825dca71e2b10a61e047bc80678cefcb3162f6c482743fbfcce4258339a6d
Instruction Fuzzy Hash: B021F2387102104BEB68563698A5A3E26EBDFC6608F15C07CD402CFB94EE29CD41D7C2

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6B18 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ee6ced91104bfaa7d5832f20800097438b032afca7845ed7622087b98604f9
Instruction ID: 25eb21da4f5e5cd733d298d839ae9475684b471c45ffdf42010ef7efc1d3db8c
Opcode Fuzzy Hash: e5ee6ced91104bfaa7d5832f20800097438b032afca7845ed7622087b98604f9
Instruction Fuzzy Hash: AA218D70F001555FDB11EFAAC9409AFBBF9EFC8204F10812AE516E7251EB70AA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE94E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776dc4a8e5bcc7ce6a1b5e76a41406a128e7744d1e8b0754439ef7da251df87a
Instruction ID: 7b3c86eebf9854b28c2ed171d093a0f292633f72d70048a8b2e3ca10a8a55332
Opcode Fuzzy Hash: 776dc4a8e5bcc7ce6a1b5e76a41406a128e7744d1e8b0754439ef7da251df87a
Instruction Fuzzy Hash: 2D219130E00A15CFEB24EB7484547EEBAB2EF88219F54883DC402BA755DB35A885CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADF300 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fc190924a4a54d706f0560613278320f5cfcb3906caa60f8bb6a97630ff97a
Instruction ID: c6d481b09f430b1d70e37dd2891f585f41c264d0757929c77f82683b0da09738
Opcode Fuzzy Hash: 01fc190924a4a54d706f0560613278320f5cfcb3906caa60f8bb6a97630ff97a
Instruction Fuzzy Hash: 2A21CC71604B419FD734CF38D482AAAB7F2BB49210F050E2AE4ABCB640D774F9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2850 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53db5d8f6364e77c65d65394f815b7f4c3c22c1b42f2761efc437a33fc1b885
Instruction ID: 019f5cddfd5fb4525f7e00df742246b16aa56d8fd394dda54da4c7641c8e14f4
Opcode Fuzzy Hash: c53db5d8f6364e77c65d65394f815b7f4c3c22c1b42f2761efc437a33fc1b885
Instruction Fuzzy Hash: 5A316D35A0461A8FCB10DFA9D554BEDBBF0AB88314F1040A5D806FB354DB70AD01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADF310 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58af5bdaa707fe72b06290029d05ef6854e84a01df5e9b59f3b4e79fa12a0cd
Instruction ID: 9fb12dc31df7f156ebdd14ff0a7caf15c0b4b0d9219245776c98ebda2f8cdd83
Opcode Fuzzy Hash: f58af5bdaa707fe72b06290029d05ef6854e84a01df5e9b59f3b4e79fa12a0cd
Instruction Fuzzy Hash: F4218C74610B059FD734CF38D482AAAB7F1FB49210F150E2AE0A7CBA40D774F9059B91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADEC0B Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e23044b29a0e2de6ca550ae8146e5cd8e0f69615babcefe847e5fac239e012
Instruction ID: 8d3c3e998ee424cef19bd3dfa1e4710e7401798f8f119d0e13a11935cb423875
Opcode Fuzzy Hash: b8e23044b29a0e2de6ca550ae8146e5cd8e0f69615babcefe847e5fac239e012
Instruction Fuzzy Hash: 6C21B075A00219EFDB05DFA0D854DEEBBB6FF89304B458529E4027B220DB75B95ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 04AD653B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5f3a8ccb89455b69b9805bb206608845f965408f0f8c07dca5e386c5994961
Instruction ID: 831733a32084b50eb4644a54d201d3f6332423a7cfb6fb3b2d7660dadb7863de
Opcode Fuzzy Hash: 5c5f3a8ccb89455b69b9805bb206608845f965408f0f8c07dca5e386c5994961
Instruction Fuzzy Hash: 7021C375E042198FDF05DFF888809EEBBF6EF88204B14402AD509F7355EB34AA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADD8CC Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4578f3ed3a51344854c6d8b6a3d97a18f7aecd47d758dd7bdc81cb555483c80a
Instruction ID: d24f18d847c3c88e30262898e08382e38af575e3de9234429e81cedc234c8759
Opcode Fuzzy Hash: 4578f3ed3a51344854c6d8b6a3d97a18f7aecd47d758dd7bdc81cb555483c80a
Instruction Fuzzy Hash: E521E331310A008FD720DF29D485A2AB7F6FF856147194E6AE09BCBA28D762F9058B90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2D71 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a61a07b18e5ec377a7fd35ee801dd30e787101c991d252091238b62eaea5c0
Instruction ID: d4a5eed7a06d020f3d4c24704095cd1eb57eac69e7a2c7fd272dde0c20b64a67
Opcode Fuzzy Hash: 40a61a07b18e5ec377a7fd35ee801dd30e787101c991d252091238b62eaea5c0
Instruction Fuzzy Hash: 9C21F436A042059FD318FB69D40879EBBB1DB89214F0088A9C956DB3D2DB74AD0ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADA4A8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fcaedd658be0a1a414e2e5567d241f183dce1404050c21f45612bc93f5712f
Instruction ID: 6990495a5656dc176eb9a0ff08e8fad2b2e6ad8dc1b68cda409addaabd4e9289
Opcode Fuzzy Hash: c7fcaedd658be0a1a414e2e5567d241f183dce1404050c21f45612bc93f5712f
Instruction Fuzzy Hash: 73212C31A106099FCB10EF69D84099DFBF5FF49311F50C26AE959AB200EB30E998CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04ADEC18 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c3ac40edebca991e60222fb844fabee4234314f2f638aaf25edef525dda9c5
Instruction ID: 61f72df291a42d7993fa881121f1bf7a16e451ef4e67bdeab37095dcdfe2b292
Opcode Fuzzy Hash: f2c3ac40edebca991e60222fb844fabee4234314f2f638aaf25edef525dda9c5
Instruction Fuzzy Hash: 6C21AC75A00219EFDB05EFA0D844DEEBBB6FF89304F058559E002BB220DB75B955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1E53 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c89eb2f74c4f9a25e76b2db9f0df70f1964973bbc0b2ad099fe420f6f8eb5a
Instruction ID: e51707a39b1c70019735353d9623bcac610c81c8f35fea9b5febe68bec902121
Opcode Fuzzy Hash: a0c89eb2f74c4f9a25e76b2db9f0df70f1964973bbc0b2ad099fe420f6f8eb5a
Instruction Fuzzy Hash: 0121F232C18B058BDB00EF79D884059BBB5FF95304315866AE949BB366EF70F991CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE490 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6003410e77ef4e4ef50b50c1cf8ebef997d0c16cc9aefe5d6d5ebd23e0e75c
Instruction ID: 06509be6ab790df02b120b785b785674a53ff1daf468e34af18688df111a176c
Opcode Fuzzy Hash: 5d6003410e77ef4e4ef50b50c1cf8ebef997d0c16cc9aefe5d6d5ebd23e0e75c
Instruction Fuzzy Hash: 9A210371714B804FD3209B28D88275B77E6FB89740F15486ED186CB692DFB8A8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADD704 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcc1eedaeed745e5f50a54c9d002435c6aeba58d5d8ec044c4d05956f1316f5
Instruction ID: 3f48f52cdc650384a82368609278bfd7f7cf8cefa8c0df5e690d28764d0afd00
Opcode Fuzzy Hash: 6fcc1eedaeed745e5f50a54c9d002435c6aeba58d5d8ec044c4d05956f1316f5
Instruction Fuzzy Hash: 1811B2343105104BEB04BE39D40176E72DBEBC5B18F00442AE542EB7E5CEB5EC4257D9

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2840 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7c5d0419fe863a3ad75b0d10c378ac81b9d6d0421202590ddf658f08e171f7
Instruction ID: 988e2ac6f69c7ce57a99057dd8e959f14c4dd448fd29593967a26d5e4431bea2
Opcode Fuzzy Hash: de7c5d0419fe863a3ad75b0d10c378ac81b9d6d0421202590ddf658f08e171f7
Instruction Fuzzy Hash: 0821BE35E0465A8BCB15EFA9D954BDDBBF0AF88304F1440A5D842FB318DB70AD01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADD708 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0081929c548d963ea6495443762c312df568ad55456a1d47cba5a1569a7992
Instruction ID: 4aebfa833db151db2371fe2d0bac1735acf9e16769124794da0e53bddfdecdf4
Opcode Fuzzy Hash: 9c0081929c548d963ea6495443762c312df568ad55456a1d47cba5a1569a7992
Instruction Fuzzy Hash: CE118F343106204BEB04BA7AD41172E72DBEBC9B18F10442AE542EB7E5CEB5EC4157D9

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1E60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e21fabc7f548962382b5a0eb226dccaff01671dbd8a0b249889d76489586ed
Instruction ID: 1da28ce555c057be241f02cda17830b5cb100282ed200d75ec0459388a101a4f
Opcode Fuzzy Hash: 29e21fabc7f548962382b5a0eb226dccaff01671dbd8a0b249889d76489586ed
Instruction Fuzzy Hash: 8821F332D14B05CBDB00EF69D84045AB7B5FF953043158669E9497B326EB70F890CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04ADB8EF Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03e7ccbbc41e9dc4e1d57ea06f85133685cb82b1e6824abd31390243e1f49e3
Instruction ID: f4a15b6174195f7efba2e9362483335e1148d88686fbed67d7dc8a3ce7aeee80
Opcode Fuzzy Hash: d03e7ccbbc41e9dc4e1d57ea06f85133685cb82b1e6824abd31390243e1f49e3
Instruction Fuzzy Hash: 7411B1316006008FD754EF69D484B9DB7E2FF85224F1246BDD11ADB261DB30BD4A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04AD79C8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d06a0ce6065e662f961e2b7e61662ef55b4fe29cb1783414efc60138fb8fbf
Instruction ID: 7f88f79db9572a4578483c910d610eb78af179a6e6b32f0eb8313e7a699993fb
Opcode Fuzzy Hash: 34d06a0ce6065e662f961e2b7e61662ef55b4fe29cb1783414efc60138fb8fbf
Instruction Fuzzy Hash: 2B2127B58043489FCB10DFAAC884BDEBFF4EB59364F14845EE456A7210D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADCD58 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3842eadf58c80588789485729b42ec69869fdfa6a473a7cc54db76a4c0dfe507
Instruction ID: 48d153c6646ed8724450784e52c186079372c693a55c9eab804230c445091d4a
Opcode Fuzzy Hash: 3842eadf58c80588789485729b42ec69869fdfa6a473a7cc54db76a4c0dfe507
Instruction Fuzzy Hash: 5811A231F006099FDB10DB75C8446AA7BB59F84224F408629D9479B254EB70F981DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD7370 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9591e2c5148863affd6ab8a6378e72eb8ae5f2772ccb7a662d40f9bded60c85
Instruction ID: 71d6eaa2ed6fab131c8c676cc9730556c37bf4752b5809395fd4c185f516a209
Opcode Fuzzy Hash: b9591e2c5148863affd6ab8a6378e72eb8ae5f2772ccb7a662d40f9bded60c85
Instruction Fuzzy Hash: C2012471B042945FDB12ABBCA8510EEBFB6DFC9214B04006ED6069B282CB351A0787A6

Uniqueness

Uniqueness Score: -1.00%

Function 04ADCB14 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7d5091000aa42f5e79465968e0fe26efca1fcb2689fcf89a7fc975c95b2407
Instruction ID: 5c8cfdc0e435c20fb9eb7ab9db89371d26ff638576c27cf017032ac3121d3cef
Opcode Fuzzy Hash: 2f7d5091000aa42f5e79465968e0fe26efca1fcb2689fcf89a7fc975c95b2407
Instruction Fuzzy Hash: 1B11A531724B104BD760AB69D481B5B73EBF788740F14882EE187DB790DEB5B8448B90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC56B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a350e6b01c32d2ab12d5262e0728db612ce077b4fa4f564e120d3de4f1f80d9
Instruction ID: f910b98268a29c44f4f251505b94944fe0cdd5efcbc37a94589869b4c9899acf
Opcode Fuzzy Hash: 0a350e6b01c32d2ab12d5262e0728db612ce077b4fa4f564e120d3de4f1f80d9
Instruction Fuzzy Hash: 49215E72D04B9187EB11DF29D840281B7A1EF95318F198ABACC5D3F346EB717984C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 04AD79D4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3361392a575b7aa47713d7cae27bc771cca778e19fdff8df87245a0ae056fcf
Instruction ID: d0a577f06b5ac07b061a563c469f14912ad557d8bbb7bba833ffd492a7cac4ea
Opcode Fuzzy Hash: a3361392a575b7aa47713d7cae27bc771cca778e19fdff8df87245a0ae056fcf
Instruction Fuzzy Hash: 2D21E4B59002099FDB10DF9AD884BDEFBF8EB48364F14841AE959B7310D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADC578 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c439a4686e7efe840e70f30b8f9749a99d4bc4c395c8344e084f69d01f6d5e
Instruction ID: 11168c090e5e1811f3c813f8be33e117af065b162543f3fc265a13dc01473718
Opcode Fuzzy Hash: f6c439a4686e7efe840e70f30b8f9749a99d4bc4c395c8344e084f69d01f6d5e
Instruction Fuzzy Hash: B8114C32D00B5186EB10AF59D840281B7A5EF95324F198A79DD5D3F346EB717984C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD3660 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429892b36cb48c2b9d886301fe5f8b6b90eddd9e0e16004df1d6b66c4f659da5
Instruction ID: 683e477ec8ff18d112c61177e178eb68cc3508659d2f910ea1841223c6fd66ff
Opcode Fuzzy Hash: 429892b36cb48c2b9d886301fe5f8b6b90eddd9e0e16004df1d6b66c4f659da5
Instruction Fuzzy Hash: 29110875A040069FDB01DF68C809A9B7FF6EB88304F008069E502FB381CB39AD0A8B95

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2D80 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba29410eca15f043391b58736db13e157ae5843a8359e930858b1f02f8ed8d1
Instruction ID: 55978f3a13314755673a1289106ea83aef545b260915fccdcc9e42914c81e426
Opcode Fuzzy Hash: 0ba29410eca15f043391b58736db13e157ae5843a8359e930858b1f02f8ed8d1
Instruction Fuzzy Hash: 5B11C135A002099BD714EFA5C014BDEB7F2EB88304F5044ACC506A7290CF35AD05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD776C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4455496e8d06b8191d5cd85c746dc56efbd3113822a562416e20a66bd069ed59
Instruction ID: 143fb1e3b11e3a681ef89ff08e40ef6330c436cc817506717f4396525de3b3f7
Opcode Fuzzy Hash: 4455496e8d06b8191d5cd85c746dc56efbd3113822a562416e20a66bd069ed59
Instruction Fuzzy Hash: 6F01D635B142145FEB09E679D4545EE7FE9DFC9118B04C4AAE809D3201ED74AD478790

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0006 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18eef021ab74574c79f570bd9a2a0f00491aa06e8ea5b1f293d1aea1b6a73059
Instruction ID: dbdbd828127f3a6a8caa208462ec7664c19c4db545a6aee4d5af4ec2c333029f
Opcode Fuzzy Hash: 18eef021ab74574c79f570bd9a2a0f00491aa06e8ea5b1f293d1aea1b6a73059
Instruction Fuzzy Hash: D411C46120E3D14FEB125B3198A49A63FB59E43609B0E00DFC486CF9E3D6199C46DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDE60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e3a5149da73b147818966f087ccb250bd891ba765155c3877019efa70fd467
Instruction ID: d5352094294be65ed16bc7c55c88c08faf9055d794815f11f1964f33734bd716
Opcode Fuzzy Hash: a8e3a5149da73b147818966f087ccb250bd891ba765155c3877019efa70fd467
Instruction Fuzzy Hash: 3211E1303047504BE740EA28D01539A6796AB82B08F50895ED18ADF7C2CFF66C4A87E6

Uniqueness

Uniqueness Score: -1.00%

Function 04AD624C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cad6087eb62f3f2a314841df462e5c56e44385319733006155b2baf22caa5f3
Instruction ID: 8fc41c1511e3b0a5e6aa64d29d822452d7cd73a0f5a5d29443245dc5c53776f8
Opcode Fuzzy Hash: 7cad6087eb62f3f2a314841df462e5c56e44385319733006155b2baf22caa5f3
Instruction Fuzzy Hash: 891104B5D042089FDB10DF9AD448B9EFBF4EB98324F14841AD859B7310D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE598 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1f7088599531e2f5b592710e335788da46f5eb6ebdc5365b676fd471057c1f
Instruction ID: 445a4aef0b95171d92ccba04c59db930861110e93bc5b42b02bfe0dcec0be585
Opcode Fuzzy Hash: ae1f7088599531e2f5b592710e335788da46f5eb6ebdc5365b676fd471057c1f
Instruction Fuzzy Hash: 1B01F235A006148FE710EB79E4053CEBBB5EB88314F00442ADA05D7280EA35A90BCFD0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD82C8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21514f020a0e15ed512a3d49750154c1df67a33ed40f120cb349eda1a8b936ce
Instruction ID: 9dc1066d0add4bea3ddc62914298b42c644c4365833d30d994491a316086dbd6
Opcode Fuzzy Hash: 21514f020a0e15ed512a3d49750154c1df67a33ed40f120cb349eda1a8b936ce
Instruction Fuzzy Hash: AD1145B5800208CFDB10DF99D488BCEFBF4EB58364F14881AD469A7300D738AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBC88 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1a1c4ce6b8341676716ab7fdbfe7a4f95c1adc769e837d71bbfd5bc7397595
Instruction ID: 8f637fa61d5cbca66423f0801d8a0043df7347a0348bf0c634357845fc8b00bc
Opcode Fuzzy Hash: 1a1a1c4ce6b8341676716ab7fdbfe7a4f95c1adc769e837d71bbfd5bc7397595
Instruction Fuzzy Hash: 91018F343055608FEB19E738C15466C7BA1AF8DA18B0641A9DA2A8B361DF24FD03C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6E3B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fabff5130900519e4ca3e15f9bcbbc1b5064a2610a72321aa5383374f3e946
Instruction ID: df19b3ceec011ec0fbb67e314ea8e222ada1d2f34e6383627d82331d9be3bd1e
Opcode Fuzzy Hash: 35fabff5130900519e4ca3e15f9bcbbc1b5064a2610a72321aa5383374f3e946
Instruction Fuzzy Hash: E11120B5C002498FCB10CFAAD448B8EFBF4EB88324F14841AD459B3210D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBAD7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91055e2fc8a39cba8fe7d5bf66a440ef87e5c200faf4cb3a330b9a4e58a9356
Instruction ID: 0ca121f8bec115a2cebac3b5245dbc14d2bd8e1749c9f3f6bb82382f177ecc89
Opcode Fuzzy Hash: e91055e2fc8a39cba8fe7d5bf66a440ef87e5c200faf4cb3a330b9a4e58a9356
Instruction Fuzzy Hash: 2B01B1757042018FD704CB69D488AAABBF6FFC8218F1584AAD54AC7362CB70EC0BCB50

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2618 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a11000b5df4664a0ad4bb6e6c7e4e0b09c12167d5fb5b6c5da68287d19319b
Instruction ID: b59a1cb29a64a56b7df85a8eef05b5c4493e75561cf48b5b62768444e5fc00c5
Opcode Fuzzy Hash: 46a11000b5df4664a0ad4bb6e6c7e4e0b09c12167d5fb5b6c5da68287d19319b
Instruction Fuzzy Hash: 6301D1326083049EEB20EBB5A8007AB7BEDCB80265F4044EED50AC7691EF31F945C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 04AD83FF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e04d9ba71698be9ff4c77a7e721cc843822021b58c77fad40050d6ff6c6c38c
Instruction ID: 8a6238f98e74c8ab166b34385508b65fd2fda07e44528bf14d881b27c0214b38
Opcode Fuzzy Hash: 0e04d9ba71698be9ff4c77a7e721cc843822021b58c77fad40050d6ff6c6c38c
Instruction Fuzzy Hash: CFF0F6F64063401FD736AF20A8804D37FB9EA16264305498FE84ACB153E514A80BCB70

Uniqueness

Uniqueness Score: -1.00%

Function 04AD79B8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a1d83a8ea085ea358584c94ea2158a994602013213c0dd43dc332d98d8e0a
Instruction ID: 7f543350a5f06aa6240f6b59ca592e698393666f7d50826605964a13aeedf6f5
Opcode Fuzzy Hash: 758a1d83a8ea085ea358584c94ea2158a994602013213c0dd43dc332d98d8e0a
Instruction Fuzzy Hash: 991110B59002489FCB10DF99D448BDEBBF4EB48324F14841AE52AA7200D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD09E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d77263140a386e4034a9808b69f7b31ae0d3cf6115ab77500c7c02dadf781e
Instruction ID: 1037dff150ad0eb257a3efb5ede365f84742f6aa9a3adc0ed6e444a945628651
Opcode Fuzzy Hash: 00d77263140a386e4034a9808b69f7b31ae0d3cf6115ab77500c7c02dadf781e
Instruction Fuzzy Hash: 5301D66220D7C01FD302D6799895A86BFA6DB9720470A45DFD185CF1B3D660AC0B83A2

Uniqueness

Uniqueness Score: -1.00%

Function 04AD3670 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdaf46f272d6a2880b9358f10f32616e02430967363bfb16145217288a363b4e
Instruction ID: 03cd0b24b10d1ee90a895f9bb308183e17e754291943d7841746df6e7ba0b8ed
Opcode Fuzzy Hash: cdaf46f272d6a2880b9358f10f32616e02430967363bfb16145217288a363b4e
Instruction Fuzzy Hash: B501D471A00045DFDB04DF68C818A9BBBFAEF99704F148069E502FB384CA79AD04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDFF8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7dfa4be01e82190a617b8d0e40c73c3c10ea33dd15e415e1fab06b9f4f7bc98
Instruction ID: bb145f3a8417602b364397c907f1803f76a23aad8aab9d8ed4fc70d10b3abb5d
Opcode Fuzzy Hash: e7dfa4be01e82190a617b8d0e40c73c3c10ea33dd15e415e1fab06b9f4f7bc98
Instruction Fuzzy Hash: 98011771A00A049FE720DF38C445A5BB7F6BB85210F040A29E066CB750DB74FD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE9DA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29d1a50e918530c7ce7ec5fe7ec09db866c3501e1b7f048c65a59203af4fe0e
Instruction ID: 0de8f337d87e3941810b06907794be68d2b0289eae16ccaf1ec4d44c20399010
Opcode Fuzzy Hash: a29d1a50e918530c7ce7ec5fe7ec09db866c3501e1b7f048c65a59203af4fe0e
Instruction Fuzzy Hash: 1801D270A40A06CFEB24EFB1C0143AE7AB1EF48319F84843DC003BA290DB385884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1968 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f5b5f59dc37ec12f1c531ac1f40756c25e16be626985e9e5edc6aff8d85339
Instruction ID: 8f12f506794a15ffcde81c84f68540b8b546408ceb8f21e053245ea105facc6d
Opcode Fuzzy Hash: 60f5b5f59dc37ec12f1c531ac1f40756c25e16be626985e9e5edc6aff8d85339
Instruction Fuzzy Hash: DC014C306007048FD724EF39C54059A77F6BF85308F14C96ED4868B264EB30E941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1958 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e11061444a139b45d613333a429e14fc65520ce4a700b7d18b71985a160cea3
Instruction ID: 2a470025fa473f12cdb955a02753dbdaa51bf63e329e3df43790dd96efa99b88
Opcode Fuzzy Hash: 8e11061444a139b45d613333a429e14fc65520ce4a700b7d18b71985a160cea3
Instruction Fuzzy Hash: 3901DF30605B018FD315EF38C0505AA7BF1AF85308F0486AED8828B269EB30F942CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04ADCA90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f25583476c6ea58f1a8c42d675eb5816e0d52f9bdc7402a2427e6ce15bd5fa
Instruction ID: bc9ec907a015dd5d753d32bca76743a9bdb23ef26584cf823c9ba0b046a6ba11
Opcode Fuzzy Hash: 28f25583476c6ea58f1a8c42d675eb5816e0d52f9bdc7402a2427e6ce15bd5fa
Instruction Fuzzy Hash: C201B1303147505BE680AA29C01579A76DBAB81708F10891DD18ADB3C2CFF7BC4A8BE5

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1D38 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec00d46ac2a50f475d138f58cf51a77ac48215c12e8624294758c40c24625de
Instruction ID: 870517a920ff60abec4b29439f2ba37c8d65a34530fb6a65a7ca481623bde0e5
Opcode Fuzzy Hash: 1ec00d46ac2a50f475d138f58cf51a77ac48215c12e8624294758c40c24625de
Instruction Fuzzy Hash: F601D139A147008BCB12BB78D5101EEBB75EFC6228F04059ED98A5B241EF70A647C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDF60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc80803ba72b596b39db8b894a100701fd754f7fd44fa82a8e2ffc280bc2733
Instruction ID: d51770c0701acc84802fef2a3bfd99b6ba5f547b3f1702c4965f2235f5954b31
Opcode Fuzzy Hash: 8fc80803ba72b596b39db8b894a100701fd754f7fd44fa82a8e2ffc280bc2733
Instruction Fuzzy Hash: 6901E535600B048BD324DF28D045A56B7F6FB89294B040E29E1A7CB744DB70F9098BD0

Uniqueness

Uniqueness Score: -1.00%

Function 04ADFDC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806afbbcc430bc8ed21cc444d4643e8f30621da648a8f0dd2f24a22998150ef2
Instruction ID: d8a0742b5440f88de75959f4d11e6564cb7189f549eba0d04f1c7e38c745b194
Opcode Fuzzy Hash: 806afbbcc430bc8ed21cc444d4643e8f30621da648a8f0dd2f24a22998150ef2
Instruction Fuzzy Hash: 8A01A772509380DFC3028B64E800585BFB1EF96214B1AC4EBD5898F173D23A9957DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04ADBAE8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d46fda503c1c4a230425b0a816028d37c8a9da8b4c81be453c1941a755ed65b
Instruction ID: e24f676e3298fff21b2985363c9a53733a8981baac28689c0706a72c7c190a09
Opcode Fuzzy Hash: 9d46fda503c1c4a230425b0a816028d37c8a9da8b4c81be453c1941a755ed65b
Instruction Fuzzy Hash: BD0181347042108FD714DB6AD488E6AB7EAFFC8318B15846AE51AC7361CB70FC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04AD73A0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b28c6fc4a70f117f01269904602f4726bbbcfcff28a7a0af9f90f04cc46fc19
Instruction ID: f641ff3504d31d2d92ba5b22916e7dd882f7198e90eabf2a9be0b7bd792488d0
Opcode Fuzzy Hash: 5b28c6fc4a70f117f01269904602f4726bbbcfcff28a7a0af9f90f04cc46fc19
Instruction Fuzzy Hash: A8F0BB71B001149B9F1577EC59504FFBBBAEBC8514B000029D506A7340CF362D0287E9

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDBD9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0646cfda76623d060ac031f5f3e6042c6395e8a1ee8156270d56081ad22caf
Instruction ID: ba0e852d9ff1d8fd9f76db13969e5b8b373d374916553fdfd2861f0ceea9dcef
Opcode Fuzzy Hash: ee0646cfda76623d060ac031f5f3e6042c6395e8a1ee8156270d56081ad22caf
Instruction Fuzzy Hash: 00F0F672A145659BEB14EF75EC405BFB7F6FFC0625B058A3BD015DB290EA706801C394

Uniqueness

Uniqueness Score: -1.00%

Function 04AD20D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22452b0ce5e9d9332a78db066f401325bcb9a81e05694b4dc8e3869ccc14feb1
Instruction ID: 8807d40ce1a8f36d4bb2c0d64a1077942ce2775d5b79cbd1515b3f7e7a1a2e79
Opcode Fuzzy Hash: 22452b0ce5e9d9332a78db066f401325bcb9a81e05694b4dc8e3869ccc14feb1
Instruction Fuzzy Hash: D6F054327046155F9614DB6AE88485AB7AAEBD52293054A7EE20AC7321CF71ED068790

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1D48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e454243761f8335abd50ec9077b0c68425b12d8faa3768b0a5997faa2fc7e04
Instruction ID: 852e5071d34d687258de14f084e65679b3ae5c2d60fbfc787751f169c9c793ed
Opcode Fuzzy Hash: 2e454243761f8335abd50ec9077b0c68425b12d8faa3768b0a5997faa2fc7e04
Instruction Fuzzy Hash: 94F06D35A147048BCB15BB78D5045EEB7B9EFC5228F04066ED98A6B200EF70BA82C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDBE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7eaa349db4f9926886d587a0de7f2c6c42b57014788a939d83f4428c90ff05
Instruction ID: 2e9dff1e4709fa3907e7a7cf0569801521ab3b63992abeb2a378f82a8364dda3
Opcode Fuzzy Hash: 0c7eaa349db4f9926886d587a0de7f2c6c42b57014788a939d83f4428c90ff05
Instruction Fuzzy Hash: 3CF02472A041255BDB14DF6AE8805BFF7FAFFC0625F10853AD00997340EA70AC0283D4

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af12c39103d9777de318cf89d1bdb4ba80d1b51b81a69ba546803b32b7c451a
Instruction ID: 75b899f37633fdb37a0aa1650311f3d4e39e48bdfc8b165a6c3ecc8b4911f7fb
Opcode Fuzzy Hash: 4af12c39103d9777de318cf89d1bdb4ba80d1b51b81a69ba546803b32b7c451a
Instruction Fuzzy Hash: 1FF082313081119BEB24AB2AC444A7B33EAAFC4A5EB08402DD407C7A90EE61FC41E791

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1DBB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b79351edcabebbba022e3b60e651031a061659d8810fe5a83fbcad68193caa0
Instruction ID: 8a47edaf53eead896856b62b866dde107c2956007b71ce4e26ed40c2a371c5df
Opcode Fuzzy Hash: 3b79351edcabebbba022e3b60e651031a061659d8810fe5a83fbcad68193caa0
Instruction Fuzzy Hash: 42F0F635300610CFC720AB26D48495EB7B7EFC9725344059ED00A87730CB71AC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04AD20BF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b9f6716828c7a6f39a712f41f87691959f9399d32005bbe4a4c2be0ce89c5b
Instruction ID: 2ee5ee5a7df6bc10ee7c2f5a15eea93935fdf5e9179dc9d78681526a036f9b79
Opcode Fuzzy Hash: 17b9f6716828c7a6f39a712f41f87691959f9399d32005bbe4a4c2be0ce89c5b
Instruction Fuzzy Hash: 5AF0E9313003155FC7149F6AD488A5AB7EAEFD5215B0049BCE206C7321CF71EC0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2128 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9497953978a2e4b7e4189eefb740286bc01baa4ec1166a775f6c611838f3402f
Instruction ID: 06a1773912a0e4dbae57bb16bb5ff5902ac616f3a62782e9091993c11adb52aa
Opcode Fuzzy Hash: 9497953978a2e4b7e4189eefb740286bc01baa4ec1166a775f6c611838f3402f
Instruction Fuzzy Hash: F9F0F435204650CFC309DB28D499D99BBF1EF8A71831684E9E50ACB372CB72EC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1DC8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0a0523de7c463a4c3176ed3de39b75a6dc2c1bb898b0d666ee6d6b2ca2c5ec
Instruction ID: ef56674a54a034ba80894cf5c83c54263ce5e3667e4d9c805caae568d7df1a8b
Opcode Fuzzy Hash: 6f0a0523de7c463a4c3176ed3de39b75a6dc2c1bb898b0d666ee6d6b2ca2c5ec
Instruction Fuzzy Hash: F2F054313006148FC724AB1AD48495EB7ABEFC9725754066DE50A87720CF71BC42CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDE00 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeb6949736f2926c50ffefa49f5be1889a0be06795e0512154516b9c12d06ab
Instruction ID: d7adf792fb527242d3639e736243cb1083ee88a378517e39f4fe4100dfccbbc1
Opcode Fuzzy Hash: ddeb6949736f2926c50ffefa49f5be1889a0be06795e0512154516b9c12d06ab
Instruction Fuzzy Hash: E2F055343042544BE304EB38D0527DA3BA2CB8A708F0040AAD0898F3A3CDAAAC074BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04AD0A14 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b886fd58f454b4ba88d2c2b42f4387aa9cd924ef77da2ea4e421fcba2bfe8c9
Instruction ID: 8f999d1ebd97e6b8558057bafec68dd34e7a44c92430ba7db0679975f10deaca
Opcode Fuzzy Hash: 6b886fd58f454b4ba88d2c2b42f4387aa9cd924ef77da2ea4e421fcba2bfe8c9
Instruction Fuzzy Hash: A4E06DA2A1E3800FD3035EACA850088BFB1EA5352034A86CBD181CB293C114A847C772

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1A10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659cf99e0c55b0c6dadfbd623fc3c9ab6a41f40f17ad73e9c166225ba8340660
Instruction ID: 3145fed54ae75da5b500c3c0a0b900b82d602c4ead18588a75bc97afa5737fc4
Opcode Fuzzy Hash: 659cf99e0c55b0c6dadfbd623fc3c9ab6a41f40f17ad73e9c166225ba8340660
Instruction Fuzzy Hash: E0F0EC73904B884AEB019F68E4542D47FF0EB95704F14C54BD4890B167FBF552E6D781

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2138 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62480b0d81a6c0cca11ce355057affad1eec12f664341707230c8bfd51fbadf1
Instruction ID: c868716707ff75aff86acdf37b7a241d8e45d044d93ed4860cdccb0797ce3b3b
Opcode Fuzzy Hash: 62480b0d81a6c0cca11ce355057affad1eec12f664341707230c8bfd51fbadf1
Instruction Fuzzy Hash: 6DF0DF31200610CFC318DB28D588C5977E5EF49B1931688E9E10ACB372CB72EC40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6830 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a573797462a2db4ba70ec099badd94b604573b865bb444ba24e39e78a040c519
Instruction ID: a368e7e697c625c2b61a8d6972103d83c5696fce01c28286284ea33f6bf20f88
Opcode Fuzzy Hash: a573797462a2db4ba70ec099badd94b604573b865bb444ba24e39e78a040c519
Instruction Fuzzy Hash: 4EF0E574509245EFC700EFB4F88245D7FB6EB96300B1180A9D804EF653D6341F0A9B62

Uniqueness

Uniqueness Score: -1.00%

Function 04AD7CD8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58cb770cec0bac71872629a4cf0399eba778d85a305fc1d616e6497eeefcf0d
Instruction ID: 81acdd71fa6ef291a8fbe9d6bd2e4e568f2c60d675a6e5de27cd92f429fcd966
Opcode Fuzzy Hash: d58cb770cec0bac71872629a4cf0399eba778d85a305fc1d616e6497eeefcf0d
Instruction Fuzzy Hash: 68E04F72B002182F6708DABA8C015EFBAEECBC4154B10847AD50AD3204EE30AD0147D0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD099B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99478badcde7772140191d954b8e42fce16c6baab1fbd0ccd1ace0f0dd04a864
Instruction ID: b709b01e06d52884f58f280537d5821c55910349ce40b84406edf97d4213e85f
Opcode Fuzzy Hash: 99478badcde7772140191d954b8e42fce16c6baab1fbd0ccd1ace0f0dd04a864
Instruction Fuzzy Hash: FAE0D8326086401F9310E62EE88088BAB97EED16143494E6FD185CB262DE60AC0747E5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADEA35 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e7bb6ce83ccfae64ef8ad4d6c4093fa2b14fe1b7be734eaf9f4ae8ad68a7bb
Instruction ID: f0f339e53ff39a2e380e7db03e1a124ae4899a6496cb06d86fa8aa30bc90002b
Opcode Fuzzy Hash: 11e7bb6ce83ccfae64ef8ad4d6c4093fa2b14fe1b7be734eaf9f4ae8ad68a7bb
Instruction Fuzzy Hash: 62F01270A44A068BDB14EFB5C4547AE7AB1FF44715F84843DC007EA650DF385885CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE5A8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac8ba111e3f304d65c48dce035ee123db44695b81f471b41b2d20de2d99e058
Instruction ID: 76c8f2e83ede8e25f4a05091f700d51576a2bc50ef06eaa3954c10c1e7f55529
Opcode Fuzzy Hash: 7ac8ba111e3f304d65c48dce035ee123db44695b81f471b41b2d20de2d99e058
Instruction Fuzzy Hash: FEE06D31A002199FCB10EB6DD8086DEB7F4EB88325F004529D90AD3340E774AA1ACFD0

Uniqueness

Uniqueness Score: -1.00%

Function 04AD19F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59c9f250cc56456a2f332390ef12b8910542c7cd88ecedf64e8fe6f1b0a9a63
Instruction ID: a1bb197753e7df1d8a324eaab63b851ca8cfcf635c87fbed330ed74d3616fab5
Opcode Fuzzy Hash: d59c9f250cc56456a2f332390ef12b8910542c7cd88ecedf64e8fe6f1b0a9a63
Instruction Fuzzy Hash: 9CE09B719057459FEB01AB74C4500AC7BB0EE92250B11C2CBD4864A166F7305687D751

Uniqueness

Uniqueness Score: -1.00%

Function 04AD7C86 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e635b0b05cb6b5d2ef88ff12d38a6f0d8e70a8ea670556d64b0fa0466ec4a0c0
Instruction ID: e629d7cc3bfd7e0db66eb2b60f2be8ca77b142468451dc4d183a1ad57d6f649d
Opcode Fuzzy Hash: e635b0b05cb6b5d2ef88ff12d38a6f0d8e70a8ea670556d64b0fa0466ec4a0c0
Instruction Fuzzy Hash: 91E04F79A5122DDFDB189F81E504BFDBBB0FB8531AF204422D113B1550DB712980CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04ADDE10 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c7f34225501014e39edb4dc55eaf20c2c34c7b8b10d354edc5e81529f2ba71
Instruction ID: 3aa3fb8beaf3dda173b0353ea269556a82d9235a4505af1b5976ae03c52b90b6
Opcode Fuzzy Hash: c3c7f34225501014e39edb4dc55eaf20c2c34c7b8b10d354edc5e81529f2ba71
Instruction Fuzzy Hash: E6E086307106248BF708AB79D415BDB36DA9B89B55F0044ADE14E8F3A1CEF6AC414BD5

Uniqueness

Uniqueness Score: -1.00%

Function 04AD2E4C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d48921fc971eddb7b354fdf56bb68293119cb92d0d21aecb563f041f75fa8c8
Instruction ID: b4bae813ca308af4408b3afd3110ffbb01c3044b705dbafb8ad34dbb9d666063
Opcode Fuzzy Hash: 3d48921fc971eddb7b354fdf56bb68293119cb92d0d21aecb563f041f75fa8c8
Instruction Fuzzy Hash: 5BF0C936A0110ECFCB54EFA4D6446DCB7B1EB8C315F2000A9D406B7210DB326E41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04AD8AF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34ab101c5af3d8093e547d54d062a207a583040071c744dff614bfa16f50872
Instruction ID: 94ff01de18147bcaea45dd77cf4a5568fb3ed68ad211d6d6564af7ae81cb1fc6
Opcode Fuzzy Hash: c34ab101c5af3d8093e547d54d062a207a583040071c744dff614bfa16f50872
Instruction Fuzzy Hash: 01E0488050EAD44FDB1397B9A9653953FB05763305F850495D4D4872E7C45C4579C722

Uniqueness

Uniqueness Score: -1.00%

Function 04AD6840 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0012da431735bee9457c08cca5627d6d574dcc0d624b0fde019a16bce7b1bec
Instruction ID: 613a6221b81c3412e6c21008f8b531f69890af7117e19971293959609f746cc8
Opcode Fuzzy Hash: a0012da431735bee9457c08cca5627d6d574dcc0d624b0fde019a16bce7b1bec
Instruction Fuzzy Hash: EEE08674A00208EF8B00EFB5E94185DB7B9EB5531475144A8D804EF705DB351F00DB56

Uniqueness

Uniqueness Score: -1.00%

Function 04AD1E20 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02597d354a639fc4b039949c57bad6ceca1ab1a56e36c793124eed97deb0af0c
Instruction ID: 547cece39f5c878533724662411089f875333dc65dced1a3100333968f7b0edd
Opcode Fuzzy Hash: 02597d354a639fc4b039949c57bad6ceca1ab1a56e36c793124eed97deb0af0c
Instruction Fuzzy Hash: 98D0A7113051A123D245923E740DBA9E985DBCA325F5801EEE240D3289CD744C4243D5

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE570 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c1164a807af0f061c602390aca7fa673432ccb04b6ad042e3b5206f3398302
Instruction ID: d545c1b1ec98b30076d0bead15bf7b1849c40fe058544e9090b9b9ee62e25bb5
Opcode Fuzzy Hash: a5c1164a807af0f061c602390aca7fa673432ccb04b6ad042e3b5206f3398302
Instruction Fuzzy Hash: 19D013B44096818FF715DE15B5011C47FF2DFA5548B55D4D9C5C04751ED535544BD700

Uniqueness

Uniqueness Score: -1.00%

Function 04ADE910 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca07cb4a8244fd213871353ebc7b53b30858cfcd75859d38c893190ffbf32c76
Instruction ID: 3e062856b7c3067b038b91452513d5d58afcbb51ae96a547508270291a62ba6b
Opcode Fuzzy Hash: ca07cb4a8244fd213871353ebc7b53b30858cfcd75859d38c893190ffbf32c76
Instruction Fuzzy Hash: 77D05E3850EBC28FCB02DF65D9A6485BFB1AA9660074946EED4854E163DA246C0BCF51

Uniqueness

Uniqueness Score: -1.00%

Function 04AD8AA0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edf42b2b23fbd48f52f461fed9b3a1449b26356eeda69788b42d103c5c1bbea
Instruction ID: 3a54fec1857c9bd3eb15b2570aaeff89d6814eadf9b542b1ca8004063239945d
Opcode Fuzzy Hash: 9edf42b2b23fbd48f52f461fed9b3a1449b26356eeda69788b42d103c5c1bbea
Instruction Fuzzy Hash: BCD0223031020A83DB447BA4A41877533BCAF80204F88002DF41FC2510EB1AF881D610

Uniqueness

Uniqueness Score: -1.00%

Function 04AD8A8F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a9eb075811bf1517a6f15111f9d0221ec3e02a3ee653c528a91bc1c848c810
Instruction ID: a6a2be792dbe9609dbfa88e9b360bda89d085b8731304f1a99245d786736a2ab
Opcode Fuzzy Hash: d0a9eb075811bf1517a6f15111f9d0221ec3e02a3ee653c528a91bc1c848c810
Instruction Fuzzy Hash: BED0A7A155E7848DE70137602B142C13B34EC932A474E00EFD05985963D5185205D723

Uniqueness

Uniqueness Score: -1.00%

Function 04ADAA08 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a836c35046e29ea013938a9a228356dce3408e212d7098118a3edf7ceb2b4a
Instruction ID: a9ef9c9b5d101559492c97c1751004bc252b6ee0ac5d83994dbffeb2b26249ea
Opcode Fuzzy Hash: b9a836c35046e29ea013938a9a228356dce3408e212d7098118a3edf7ceb2b4a
Instruction Fuzzy Hash: 23C080544083C56FF71137B5D50D3557F9CDF4225EF5540C1E905D1183DA14B457C751

Uniqueness

Uniqueness Score: -1.00%

Function 04AD8140 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17ff545c7f00002d9cdd85294d1fa9687e1976b410a3d04434220a0299cc9fc
Instruction ID: 110323b48eb1e5ee60aa92521c53f8d4083227d75c72bb890d6b8895e173934b
Opcode Fuzzy Hash: f17ff545c7f00002d9cdd85294d1fa9687e1976b410a3d04434220a0299cc9fc
Instruction Fuzzy Hash: 5AB09B2171413413D50A319DA4105EE728D4795568F400077D50EA7B418DD55D4103DA

Uniqueness

Uniqueness Score: -1.00%

Function 04ADAA18 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cbebbcee3ba519ee90a82df333a1db8a92108f82ba1d622691e6d2dad66166
Instruction ID: b529df20e86e360ececeb53cf4dd07ea9c4f673fda5dd64e21984474e34adc50
Opcode Fuzzy Hash: e7cbebbcee3ba519ee90a82df333a1db8a92108f82ba1d622691e6d2dad66166
Instruction Fuzzy Hash: 62B092315586485E6E403BF17A0816A33CC9B4016A7840061B80EC0540EA29F8208061

Uniqueness

Uniqueness Score: -1.00%

Function 04ADFDD0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea549631d59f06e1cbc7873aee82570531c71c2924e057a60212b238144f956
Instruction ID: b256a522c04c66430a2958f4e8b773c5ad8c6119e01bcff0882dcf994a3e9acf
Opcode Fuzzy Hash: 8ea549631d59f06e1cbc7873aee82570531c71c2924e057a60212b238144f956
Instruction Fuzzy Hash: 7BC0023B000108EFCB025F80EC08C85BFBAEB48310705C091F6098B072DB76D564EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04ADCAF4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.362971464.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ad0000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902100aaf0824ff0d5ae2a6b63183994ebc2712604bc74ff8fbe0efede7858e1
Instruction ID: 80fe4e801b8ccf41ccaad0fc1c8275ef72595398921f84678d7162df9b54ddfb
Opcode Fuzzy Hash: 902100aaf0824ff0d5ae2a6b63183994ebc2712604bc74ff8fbe0efede7858e1
Instruction Fuzzy Hash: 31B0127033440083F6406B7041887173010FF9023CFC44CA8910B8D116CB3AA5054FB2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0248E720 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e4d5a391ae12f26aeb6beb9e7be2e36cc55fda9fde41a15073fc125bfa7756
Instruction ID: b4243ffe101549b1ac6f479a2118df93fb1aa89a76fe4da379702cc8531df1b4
Opcode Fuzzy Hash: c3e4d5a391ae12f26aeb6beb9e7be2e36cc55fda9fde41a15073fc125bfa7756
Instruction Fuzzy Hash: 0B1293F1411F468AD330CFA5ED985893BA1B745328F944308D2A56BAF1DBFC116ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0248C414 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1893df4b107beb2a59924d4e1de97b409aecbecce8a6bbf8f6b5ab3e7e8fea1
Instruction ID: 45732551eba7385184f710cad0c6f1f9baad3abd5725724684eecc5c52e56535
Opcode Fuzzy Hash: f1893df4b107beb2a59924d4e1de97b409aecbecce8a6bbf8f6b5ab3e7e8fea1
Instruction Fuzzy Hash: 1CA17E32E10219CFCF15EFB5C8845AEBBB2FF85300B15816BE905AB261EB75A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0248E710 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346487921.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a605d16390374d33300d6fb9f083b9e4877e15feef39422f67bd24eb28bca8f5
Instruction ID: 0f5edd51b6a6e568541b2eaa03017a4e0b1ab24e677c6792c85e75363a2977a7
Opcode Fuzzy Hash: a605d16390374d33300d6fb9f083b9e4877e15feef39422f67bd24eb28bca8f5
Instruction Fuzzy Hash: F3C109B1411F46CAD720CFA5EC885893BA1BB85328F544318D2A16BAF0DFFC116ACF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exePID: 4128, Parent PID: 3256COMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	932
Total number of Limit Nodes:	79

Executed Functions

Function 065739C0 Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000001), ref: 06573A44

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7a6e624431be790f0eaeb9631b5de0c6c61354e46cbd6a76996f262ec2a60
Instruction ID: 6d29edcecaf84cf095910c2d983441ee3adff5cbe9cf8cb0f7c98611c1b00b70
Opcode Fuzzy Hash: bbe7a6e624431be790f0eaeb9631b5de0c6c61354e46cbd6a76996f262ec2a60
Instruction Fuzzy Hash: 533198306003048FCB54DF79D545AAEBBE6EF89214B14887DE4029B750EB3AED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0657B7A1 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5eafdba53818642de34d525f5b8ab48f736372cbe467dda4cc7a1563cc9675
Instruction ID: 015490fd5f6485e2aa5e849ca5dc48aa1ae05ccd241d55d414e6b6bbc29ce3ab
Opcode Fuzzy Hash: ce5eafdba53818642de34d525f5b8ab48f736372cbe467dda4cc7a1563cc9675
Instruction Fuzzy Hash: 4A51F278E05208DFDB04EFA4E959AADBBF2FB49310F10806AE805B7354DB359A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0FAA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{;np, xrefs: 04E0FC26
{;np, xrefs: 04E0FC46

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: {;np${;np
API String ID: 0-2546577353
Opcode ID: d3e3b01a7201ee7f31a59acd776f9ff69a0596f7e05a37a680d65e150825bd3f
Instruction ID: 3ee180339e9fd933f7adca0cd4cd808eeba11c1ff2c25446fd5afca6f2ac30f3
Opcode Fuzzy Hash: d3e3b01a7201ee7f31a59acd776f9ff69a0596f7e05a37a680d65e150825bd3f
Instruction Fuzzy Hash: B191A971C083889FDF12CFA5C891ACDBFB1EF4A304F15819AE454AB262C375A996CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06573558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{;np, xrefs: 06573661
{;np, xrefs: 0657363E

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID: {;np${;np
API String ID: 0-2546577353
Opcode ID: beda59a12d635f7d90c47ea66e5a151d3de9f6a228eaf194a3a89ae937c71a81
Instruction ID: 8ae2a6e049847d8f12cce48a079cf697375797c5df176f37739a55378e8a2acb
Opcode Fuzzy Hash: beda59a12d635f7d90c47ea66e5a151d3de9f6a228eaf194a3a89ae937c71a81
Instruction Fuzzy Hash: 78817AB1D04349CFDB54CFA9E884ADEBBB1FF88314F24852AD415AB250DB70A949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 065718FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06573738

Strings

{;np, xrefs: 06573661
{;np, xrefs: 0657363E

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Query_
String ID: {;np${;np
API String ID: 428220571-2546577353
Opcode ID: 699b121b81fe92d83c1589d8e8654c5c04230de00069c5c33fac0a27164bca7c
Instruction ID: b75c800bde99e6e3c0916d71fc260740dd10875ef07a35d39b4aa0814e0182c0
Opcode Fuzzy Hash: 699b121b81fe92d83c1589d8e8654c5c04230de00069c5c33fac0a27164bca7c
Instruction Fuzzy Hash: 395112B1D00658DFDB54CFA9D884BDEBBB1FF48314F248129E815AB250DB70A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06573604 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06573738

Strings

{;np, xrefs: 06573661
{;np, xrefs: 0657363E

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Query_
String ID: {;np${;np
API String ID: 428220571-2546577353
Opcode ID: ca304bdfa0c3178f04117d76da383000c433b7d5c60a3926f805f51747eba2c9
Instruction ID: dce9d704f98263af3595e30dc5f36f1e484958129c7affaddcee01b70b95e703
Opcode Fuzzy Hash: ca304bdfa0c3178f04117d76da383000c433b7d5c60a3926f805f51747eba2c9
Instruction Fuzzy Hash: 5A5121B1D00259CFDB54CFA9D984BDDBBB1FF48314F24812AE815AB250DB70A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E0DA04 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E0FD0A

Strings

{;np, xrefs: 04E0FC26
{;np, xrefs: 04E0FC46

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: CreateWindow
String ID: {;np${;np
API String ID: 716092398-2546577353
Opcode ID: 5527f5d1b5c2ebf37a17bf064d2341b0521e063ca4ad09173b31f9b77f97f266
Instruction ID: 24b8e3e622f2f014b1e44bd52fda4c5db521972a23933bc7003565ebe9ae7d8b
Opcode Fuzzy Hash: 5527f5d1b5c2ebf37a17bf064d2341b0521e063ca4ad09173b31f9b77f97f266
Instruction Fuzzy Hash: 3E51B3B1D00309DFDB14CF99C984ADEBBB5FF48314F24852AE415AB250D7B5A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E093E8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04E0962E

Strings

{;np, xrefs: 04E095E7

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: HandleModule
String ID: {;np
API String ID: 4139908857-507495909
Opcode ID: 91491b7225cf284635f7dc00ac1ab82762e5e8e2fb358e75e1ac3ba4abcfaad7
Instruction ID: ae6220a5e9fab76e256bf5d5d85371790a788f5fc6ee7302d3ad7b1b33c13d46
Opcode Fuzzy Hash: 91491b7225cf284635f7dc00ac1ab82762e5e8e2fb358e75e1ac3ba4abcfaad7
Instruction Fuzzy Hash: 9C7127B0A00B058FD724DF2AD48475AB7F1FF88318F00892DD59AD7A91D734F8858B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F545F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04F546B1

Strings

{;np, xrefs: 04F54634

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Create
String ID: {;np
API String ID: 2289755597-507495909
Opcode ID: 02863015368134d415992d1cdf17090fabc14e178b11bf739c5ff8640bac42d3
Instruction ID: 7b167d51e2fba79d54a4e72c00f4b18357d01b91d22ae0489db3d3cd382d88d3
Opcode Fuzzy Hash: 02863015368134d415992d1cdf17090fabc14e178b11bf739c5ff8640bac42d3
Instruction Fuzzy Hash: 9341F575C00618CFDB24CFA9D884BCDBBB1FF89308F10816AD509AB260DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F53474 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04F546B1

Strings

{;np, xrefs: 04F54634

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Create
String ID: {;np
API String ID: 2289755597-507495909
Opcode ID: 6d3fe19a64dfe7cdfd1f912fd045099a93db40402de191729cb52fd3535108fa
Instruction ID: 3ef7ccccc634f3e97fedc3261fc5552cc0cede02f6f681fe69c8a0df76e86ec1
Opcode Fuzzy Hash: 6d3fe19a64dfe7cdfd1f912fd045099a93db40402de191729cb52fd3535108fa
Instruction Fuzzy Hash: BA41E371C0461CCBDB24CFA9C885B9DBBF5BF49304F108159D909BB261DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F52470 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F52531

Strings

{;np, xrefs: 04F52487

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: CallProcWindow
String ID: {;np
API String ID: 2714655100-507495909
Opcode ID: a560576b011ed3397d4f844809c5c0988cf9ea5334cbd7b0ed8ea59d69a26522
Instruction ID: c7981fc286bcb077d1dccf1348ad0f9e74ba930d888982eca85441ca349d5711
Opcode Fuzzy Hash: a560576b011ed3397d4f844809c5c0988cf9ea5334cbd7b0ed8ea59d69a26522
Instruction Fuzzy Hash: CE4118B5A002058FDB14CF99C488AAABBF5FB88314F158599D919AB361D774E842CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F5B898 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{;np, xrefs: 04F5B902

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: CreateFromIconResource
String ID: {;np
API String ID: 3668623891-507495909
Opcode ID: 813f917ddbe87c4f7cfa366876a0c18751b9b60c0f541897eaa81133aee33960
Instruction ID: e9666c889c2e7ac221a2a7357808fe4bd20c25cdf52d02d1d04ba91d87f02f93
Opcode Fuzzy Hash: 813f917ddbe87c4f7cfa366876a0c18751b9b60c0f541897eaa81133aee33960
Instruction Fuzzy Hash: 3D31BC72804349DFCB01CFA9C844ADEBFF4EF09310F04805AEA54AB261C335A951DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0FE02 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E0FE28,?,?,?,?), ref: 04E0FE9D

Strings

{;np, xrefs: 04E0FE5A

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LongWindow
String ID: {;np
API String ID: 1378638983-507495909
Opcode ID: d95dd619b872fd504d947d0db00b6a603dc81e1cd684b4d0728a6b16752b9e17
Instruction ID: 98f0a38353e9182abc6d90e26b8b164558ac7c43ff81ce3263c43713655670a3
Opcode Fuzzy Hash: d95dd619b872fd504d947d0db00b6a603dc81e1cd684b4d0728a6b16752b9e17
Instruction Fuzzy Hash: D621A9B1804248DFDB21CF95E889BCABFF4FB48314F05804AD865AB252C375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5E6B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00F753E8,00000000,?), ref: 04F5E73D

Strings

{;np, xrefs: 04F5E6FA

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessagePost
String ID: {;np
API String ID: 410705778-507495909
Opcode ID: fa137796dd93afe405055b70c21e84c998abcb6f7b80e30f287299323a44333b
Instruction ID: 59ed4a3756233e97b6074be2ce56ee40143f1f659e2008a7afa518262426cf08
Opcode Fuzzy Hash: fa137796dd93afe405055b70c21e84c998abcb6f7b80e30f287299323a44333b
Instruction Fuzzy Hash: DB21D2B19003459FDB10CF9AD885BEEBFF4EF58320F14846AD564A7251C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BCF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E0BCC6,?,?,?,?,?), ref: 04E0BD87

Strings

{;np, xrefs: 04E0BD1F

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DuplicateHandle
String ID: {;np
API String ID: 3793708945-507495909
Opcode ID: 6df45094151427559e52b052ac37758646b29735dddb793a4c1691813afbe594
Instruction ID: 5690990f2ee7702a8c4f7f220261eb62e3d9f4f03a54c86f46b947f834081003
Opcode Fuzzy Hash: 6df45094151427559e52b052ac37758646b29735dddb793a4c1691813afbe594
Instruction Fuzzy Hash: 1021E6B5900208AFDB10CF9AD484ADEFFF4FB48324F14841AE915A3350D374A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A14C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E0BCC6,?,?,?,?,?), ref: 04E0BD87

Strings

{;np, xrefs: 04E0BD1F

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DuplicateHandle
String ID: {;np
API String ID: 3793708945-507495909
Opcode ID: b890545b07dab2c131d200dcf1f04215609b8d1606587cb996b0263b518f6078
Instruction ID: e5d8d7de07a05976840afac2e25da15c11878b2a9e775bf486efc762ed606fa5
Opcode Fuzzy Hash: b890545b07dab2c131d200dcf1f04215609b8d1606587cb996b0263b518f6078
Instruction Fuzzy Hash: D521D2B5900208AFDB10CF9AD984BEEFBF8FB48324F14841AE915A3350D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E09849 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04E096A9,00000800,00000000,00000000), ref: 04E098BA

Strings

{;np, xrefs: 04E0986F

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LibraryLoad
String ID: {;np
API String ID: 1029625771-507495909
Opcode ID: 88b4878dcd94f3155c8b71908adbea7d9b269aeacc573888ae4006c22fb26904
Instruction ID: 3a14960e7e597540c608e09328ac5cf7028621ccdc7b295b039a54997e1a5aa8
Opcode Fuzzy Hash: 88b4878dcd94f3155c8b71908adbea7d9b269aeacc573888ae4006c22fb26904
Instruction Fuzzy Hash: C61103B68002099FDB10CF9AC444BDEFBF4EB88314F14842ED429A7341C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F5A504 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F5B8B2,?,?,?,?,?), ref: 04F5B957

Strings

{;np, xrefs: 04F5B902

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: CreateFromIconResource
String ID: {;np
API String ID: 3668623891-507495909
Opcode ID: 1d305044a0f1f6cc9bc6b864df85e659ff13cee9b20296977007448448c21703
Instruction ID: c6924bdd1014a366b3a0ca405bc12e453744713a6eed7bc79bde38c40f075e08
Opcode Fuzzy Hash: 1d305044a0f1f6cc9bc6b864df85e659ff13cee9b20296977007448448c21703
Instruction Fuzzy Hash: 561159758002099FDB10CF9AC844BDEBFF8EB48364F14841AE955B3260C375A950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E08768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04E096A9,00000800,00000000,00000000), ref: 04E098BA

Strings

{;np, xrefs: 04E0986F

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LibraryLoad
String ID: {;np
API String ID: 1029625771-507495909
Opcode ID: c9dad08724d9470561f999d75fc4ad0304b6aa7278a5d995ef7c062a565433ef
Instruction ID: 9bffa27b6b449273aaf5c240f73561877e6fe7273734ac6d26da37c0827f68ff
Opcode Fuzzy Hash: c9dad08724d9470561f999d75fc4ad0304b6aa7278a5d995ef7c062a565433ef
Instruction Fuzzy Hash: E411F2B69002099BDB20CF9AC444BDEBBF4EB48324F14842ED529B7741C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F532D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00F753E8,00000000,?), ref: 04F5E73D

Strings

{;np, xrefs: 04F5E6FA

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessagePost
String ID: {;np
API String ID: 410705778-507495909
Opcode ID: fe2fe9cefcccfe3367d8e620d2de34714687cf15429ebf3097a300a374aa1f38
Instruction ID: 0da9fcc8ba1b813ef287c47e4cff93dfa39d84c8848ad0b3c4c16718d9218a76
Opcode Fuzzy Hash: fe2fe9cefcccfe3367d8e620d2de34714687cf15429ebf3097a300a374aa1f38
Instruction Fuzzy Hash: ED116AB58003099FDB10CF9AC485BEEBBF8FB58360F10841AE955B3250D374AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5C3D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F5226A,?,00000000,?), ref: 04F5C435

Strings

{;np, xrefs: 04F5C3F2

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: 45ab827eaebba0e23d004aa3e4b13669fc1fde9af0a05dd3b3bb45af4708d377
Instruction ID: 26a198a362df4c2625f4239eb12fed4bacc114d64b94213323a31ae992834df5
Opcode Fuzzy Hash: 45ab827eaebba0e23d004aa3e4b13669fc1fde9af0a05dd3b3bb45af4708d377
Instruction Fuzzy Hash: 791125B58003499FDB10CF99C485BEFBFF8EB48360F108419D915A3200C374A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5F3D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04F5F435

Strings

{;np, xrefs: 04F5F3FA

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Initialize
String ID: {;np
API String ID: 2538663250-507495909
Opcode ID: 30ea4fbffdb48af7274241a9142e11d4ce178c10d50285c980344af50bb79335
Instruction ID: a5a9c1607f2ee4356502d502121c2767a0cf248ef8bb351357e59f07782aa029
Opcode Fuzzy Hash: 30ea4fbffdb48af7274241a9142e11d4ce178c10d50285c980344af50bb79335
Instruction Fuzzy Hash: 921145B58002088FCB10CFAAC488BDEBFF4EB48324F208469D519B3250C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E095C8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04E0962E

Strings

{;np, xrefs: 04E095E7

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: HandleModule
String ID: {;np
API String ID: 4139908857-507495909
Opcode ID: f96793225929b43ad87113807c536a9b368cdf311541a2530c84d9610a7f96ce
Instruction ID: 6f9205cfbe5472c42825204d12f959aafe72e1389e847829acb7f33bc07e4b15
Opcode Fuzzy Hash: f96793225929b43ad87113807c536a9b368cdf311541a2530c84d9610a7f96ce
Instruction Fuzzy Hash: 801110B6C002098FCB10CF9AD444BDEFBF4EB88324F14881AD429B7251C374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0DA3C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E0FE28,?,?,?,?), ref: 04E0FE9D

Strings

{;np, xrefs: 04E0FE5A

Memory Dump Source

Source File: 00000003.00000002.588398474.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4e00000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: LongWindow
String ID: {;np
API String ID: 1378638983-507495909
Opcode ID: 2d94e31797544c2c477f0e6ad852c2dbedddf8eec63914da8bda799110659737
Instruction ID: aa02d2d7f4e803c299468adc087991d5ab86593eb3349d4a057ad888f403c060
Opcode Fuzzy Hash: 2d94e31797544c2c477f0e6ad852c2dbedddf8eec63914da8bda799110659737
Instruction Fuzzy Hash: 921125B58002089FDB20CF8AC589BDFBBF8EB48324F10841AE915B3240C3B4A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F51540 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F5226A,?,00000000,?), ref: 04F5C435

Strings

{;np, xrefs: 04F5C3F2

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: 58a9a141bbe1c07fa674b5eb3d80badf5cd727e66339d99d2d18e5731dd38bb1
Instruction ID: c14c1fbe504ad6b3129eba67a90278b6b5d1895b6bb2fd2f7dd8bc43cb913bf6
Opcode Fuzzy Hash: 58a9a141bbe1c07fa674b5eb3d80badf5cd727e66339d99d2d18e5731dd38bb1
Instruction Fuzzy Hash: 811136B58003489FDB10CF99C488BDFBBF8EB48324F108419E915B3210C3B4A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5A548 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F5BCBD

Strings

{;np, xrefs: 04F5BC7A

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: 87bd9d76d8bc1178d04a15ca2ca359246e6591215a7f497a6efdf8bec2f102fc
Instruction ID: 76ba3999f8c2fe9fd32e43452bc4e2ae86ae03666cf15fa6166f8c7f55ffd993
Opcode Fuzzy Hash: 87bd9d76d8bc1178d04a15ca2ca359246e6591215a7f497a6efdf8bec2f102fc
Instruction Fuzzy Hash: 5811F2B59007489FDB10CF9AC588BDEBBF8FB48324F108419E915B7250C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04F550D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04F5D29D

Strings

{;np, xrefs: 04F5D25A

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: c4bb5ba10570bd1f3be1beabc5146b0bef7df4636ec8bd15a256ec2eb20790fa
Instruction ID: cd364bad0673ca97bc47efdb8e1efd7f938498785acd6e9be06bf5a3d157a2d4
Opcode Fuzzy Hash: c4bb5ba10570bd1f3be1beabc5146b0bef7df4636ec8bd15a256ec2eb20790fa
Instruction Fuzzy Hash: CA1103B58013089FEB10CF9AD588BDEBBF8FB48324F108419E915B7250C3B5A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5DC60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04F5F435

Strings

{;np, xrefs: 04F5F3FA

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: Initialize
String ID: {;np
API String ID: 2538663250-507495909
Opcode ID: 74e0be4c404f4942b0302190666ad19f578a4edfcb13c151d2b6d0452257ff46
Instruction ID: 6c1aab1c4fba6c770a547eec2b931a672f6a93e8a1b203774362ef6dd8507dc1
Opcode Fuzzy Hash: 74e0be4c404f4942b0302190666ad19f578a4edfcb13c151d2b6d0452257ff46
Instruction Fuzzy Hash: 391145B59003088FDB10CF9AC488BDFBBF4EB48324F108459D619B3210C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5BC59 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F5BCBD

Strings

{;np, xrefs: 04F5BC7A

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: f37ed70cba0ad6693e30b7e62e34990fc5b6f1e3f7fb4a42cb12f80c6de7b16b
Instruction ID: dfe44ed4d8152d2e9a151c2ac51a36da5f4d28169c9909f7ce193ae6f118ee32
Opcode Fuzzy Hash: f37ed70cba0ad6693e30b7e62e34990fc5b6f1e3f7fb4a42cb12f80c6de7b16b
Instruction Fuzzy Hash: 9F11F2B58007499FDB10CF9AD488BDEBBF8FB48324F148419E919A7210C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F5D23E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04F5D29D

Strings

{;np, xrefs: 04F5D25A

Memory Dump Source

Source File: 00000003.00000002.589261578.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f50000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: MessageSend
String ID: {;np
API String ID: 3850602802-507495909
Opcode ID: 0bf26f02b9eb006ee9e850fe5193e3e64d5fcd6b3e3b945b9e5c6e27aa8aee81
Instruction ID: b127e8b0a52037151ea726d61433a6ddf1efd22ede0fc43f852736894863f48a
Opcode Fuzzy Hash: 0bf26f02b9eb006ee9e850fe5193e3e64d5fcd6b3e3b945b9e5c6e27aa8aee81
Instruction Fuzzy Hash: CB11D3B58013499FDB10CF9AD588BDEBBF8EB58324F148419E919A7250C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065739AF Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000001), ref: 06573A44

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19fd70624dea0fac2dc25c5f3cf7332bf5d5b7645c45cb1d33293a9ef4482692
Instruction ID: 3e2ae109fbabb0dcdadf56dc30c3c950e3ec7c5cf8690847519018c443d541f0
Opcode Fuzzy Hash: 19fd70624dea0fac2dc25c5f3cf7332bf5d5b7645c45cb1d33293a9ef4482692
Instruction Fuzzy Hash: 1B31DA306002048FCB50DF79D545AAEBBF6EF89214B14887DE4069B740EB3AED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06573880 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(?), ref: 06573912

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b93e9d8ba8ae8f2350dcee55c0155827a3e8dcd49150717624e0aa6a336d46a9
Instruction ID: 5fe33cd9f60aaf60e8bd43caa57999b3c3f36625100f269ca78eeb93b8120d81
Opcode Fuzzy Hash: b93e9d8ba8ae8f2350dcee55c0155827a3e8dcd49150717624e0aa6a336d46a9
Instruction Fuzzy Hash: 0A11AF70A01115DFDB94DF69E54057EB7B5BF88320B50846ED40AD7200CB31AD4ADBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06573871 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(?), ref: 06573912

Memory Dump Source

Source File: 00000003.00000002.592756122.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6570000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 12adc4927893c3e1501f3acc4101c86a8e9f679f43d4f3e2ced576353ea24d82
Instruction ID: 90fc72d91f5ef89a8ca971594d9f3de9450b6c4a84fb40f8ec4732ce9fc92712
Opcode Fuzzy Hash: 12adc4927893c3e1501f3acc4101c86a8e9f679f43d4f3e2ced576353ea24d82
Instruction Fuzzy Hash: D4119072A0621ADFDB94DF69E5405BAF7B4FF48321B10846AD50AD7200CB31A94AEBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.571627002.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9efd6de03cdf60abe703174e0e5d18140bb74b911e3f51e5ba2a17fef06eadc
Instruction ID: 97f954f990c17cafbbdf31c7c2f1c4423dec00596d06f25628d87429020f1699
Opcode Fuzzy Hash: f9efd6de03cdf60abe703174e0e5d18140bb74b911e3f51e5ba2a17fef06eadc
Instruction Fuzzy Hash: 28213AB2504240DFDF04DF10D9C0F66BB75FB98324F24C5A9E9054B246C336E896EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.571689914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f2d000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abdfb7d9d56536ea9e67610fa3dfcee8ff81aef18218da7d1f12224aab83937
Instruction ID: 85faa74fca1ccc704ce60a88b758b77ce8ae7ba296af6e6ce483f2d9318db9b9
Opcode Fuzzy Hash: 8abdfb7d9d56536ea9e67610fa3dfcee8ff81aef18218da7d1f12224aab83937
Instruction Fuzzy Hash: CA210775908240DFDB14DF10E5C4B26BB65FB88324F24C5ADD90A4B26AC736D847DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.571689914.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f2d000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9eafbd23e678cbdbfa430127e1390202a77d12970138f7a862b7c876d3c916
Instruction ID: 5e68bbcdacf674885b05f4e169bca82cb5fb76e5436ede7479fafb96cda50118
Opcode Fuzzy Hash: 8a9eafbd23e678cbdbfa430127e1390202a77d12970138f7a862b7c876d3c916
Instruction Fuzzy Hash: F92192755093C08FCB12CF24D990715BF71EB46324F29C5EAD8498B6A7C33A980ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.571627002.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f1d000_APPLICATION FORM MASTER SDPO Brilinskiy NEW U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551128e7c6d65466d091f2f15192fd2998e5dd02954581d12228b02c4d7b83aa
Instruction ID: 4861478cbec01eeadf2727324c1e3ab3a9437aaae5ceed9d3b50b987df92b928
Opcode Fuzzy Hash: 551128e7c6d65466d091f2f15192fd2998e5dd02954581d12228b02c4d7b83aa
Instruction Fuzzy Hash: D711E676804280DFCF15CF10D5C4B56BF71FB98324F28C6A9D8450B616C336E896DBA2

Uniqueness

Uniqueness Score: -1.00%

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000000.299314738.0000000000234000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.345324035.000000000092B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.380264249.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.380457215.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346938414.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595033114.000000000731E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.591435010.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581179879.0000000003A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594823559.00000000072F8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594532217.00000000072C8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.457454682.00000000043BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.441282649.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmp2889.tmp

C:\Users\user\AppData\Local\Temp\tmp2B48.tmp

C:\Users\user\AppData\Local\Temp\tmp63CD.tmp

C:\Users\user\AppData\Local\Temp\tmp690.tmp

C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Windows Analysis Report
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre