Edit tour

Windows Analysis Report
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Overview

General Information

Sample Name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Analysis ID:	714049
MD5:	c5ca6bf1a4d668abae8a1bd58da7fa89
SHA1:	1fb0c57d1ea566b703be21a5dd2334166f5a918e
SHA256:	f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Creates processes with suspicious names

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 3256 cmdline: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 1592 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 4128 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 5176 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2264 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 3260 cmdline: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0 MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 3736 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe (PID: 5000 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

dhcpmon.exe (PID: 1680 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 920 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 1276 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

dhcpmon.exe (PID: 2068 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

schtasks.exe (PID: 5716 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 2760 cmdline: {path} MD5: C5CA6BF1A4D668ABAE8A1BD58DA7FA89)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bcd7727e-ef56-4958-8ed9-949f5c5e", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "185.225.73.164", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x26b4:$a1: NanoCore.ClientPluginHost 0x268f:$a2: NanoCore.ClientPlugin 0x26a5:$b4: IClientAppHost 0x6b94:$b7: LogClientException 0x26de:$b9: IClientLoggingHost
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x43653:$a1: NanoCore.ClientPluginHost 0x56dc1:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x43616:$a2: NanoCore.ClientPlugin 0x56d8c:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439ea:$b1: get_BuilderSettings 0x5bd07:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a1:$b4: IClientAppHost 0x43a5b:$b6: AddHostEntry 0x43aca:$b7: LogClientException 0x5bc76:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a3f:$b8: PipeExists 0x4368e:$b9: IClientLoggingHost 0x56ddb:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc7a3:$a: NanoCore 0xc7fc:$a: NanoCore 0xc82f:$a: NanoCore 0xca5b:$a: NanoCore 0xcad7:$a: NanoCore 0xd0f0:$a: NanoCore 0xd239:$a: NanoCore 0xd70d:$a: NanoCore 0xd9f4:$a: NanoCore 0xda0b:$a: NanoCore 0x168ef:$a: NanoCore 0x1696b:$a: NanoCore 0x1924e:$a: NanoCore 0x1da00:$a: NanoCore 0x1da4a:$a: NanoCore 0x1e6a4:$a: NanoCore 0x23ccd:$a: NanoCore 0x23d47:$a: NanoCore 0x2e31f:$a: NanoCore 0x2e409:$a: NanoCore 0x2f280:$a: NanoCore
00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xca5b:$a1: NanoCore.ClientPluginHost 0x168ef:$a1: NanoCore.ClientPluginHost 0x1da00:$a1: NanoCore.ClientPluginHost 0x23ccd:$a1: NanoCore.ClientPluginHost 0x2e31f:$a1: NanoCore.ClientPluginHost 0x3878f:$a1: NanoCore.ClientPluginHost 0x437b5:$a1: NanoCore.ClientPluginHost 0x4f59f:$a1: NanoCore.ClientPluginHost 0x5b35e:$a1: NanoCore.ClientPluginHost 0xcad7:$a2: NanoCore.ClientPlugin 0x1696b:$a2: NanoCore.ClientPlugin 0x1da4a:$a2: NanoCore.ClientPlugin 0x23d47:$a2: NanoCore.ClientPlugin 0x2e409:$a2: NanoCore.ClientPlugin 0x3882f:$a2: NanoCore.ClientPlugin 0x4378c:$a2: NanoCore.ClientPlugin 0x4f576:$a2: NanoCore.ClientPlugin 0x5b339:$a2: NanoCore.ClientPlugin 0x5b34f:$b4: IClientAppHost 0x174f4:$b7: LogClientException 0x24468:$b7: LogClientException
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb4197:$a: NanoCore 0xb41bc:$a: NanoCore 0xb4215:$a: NanoCore 0xc43b4:$a: NanoCore 0xc43da:$a: NanoCore 0xc4436:$a: NanoCore 0xd128d:$a: NanoCore 0xd12e6:$a: NanoCore 0xd1319:$a: NanoCore 0xd1545:$a: NanoCore 0xd15c1:$a: NanoCore 0xd1bda:$a: NanoCore 0xd1d23:$a: NanoCore 0xd21f7:$a: NanoCore 0xd24de:$a: NanoCore 0xd24f5:$a: NanoCore 0xdb399:$a: NanoCore 0xdb415:$a: NanoCore 0xddcf8:$a: NanoCore 0xe10aa:$a: NanoCore 0xe2466:$a: NanoCore
00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb41bc:$a1: NanoCore.ClientPluginHost 0xc43da:$a1: NanoCore.ClientPluginHost 0xd1545:$a1: NanoCore.ClientPluginHost 0xdb399:$a1: NanoCore.ClientPluginHost 0xe2466:$a1: NanoCore.ClientPluginHost 0xe86f1:$a1: NanoCore.ClientPluginHost 0xf2d02:$a1: NanoCore.ClientPluginHost 0xfd12f:$a1: NanoCore.ClientPluginHost 0x10810e:$a1: NanoCore.ClientPluginHost 0x113eb2:$a1: NanoCore.ClientPluginHost 0x138db8:$a1: NanoCore.ClientPluginHost 0x1481fa:$a1: NanoCore.ClientPluginHost 0x1514af:$a1: NanoCore.ClientPluginHost 0x164c1d:$a1: NanoCore.ClientPluginHost 0x172857:$a1: NanoCore.ClientPluginHost 0x182a73:$a1: NanoCore.ClientPluginHost 0x18fbdc:$a1: NanoCore.ClientPluginHost 0x1952cf:$a1: NanoCore.ClientPluginHost 0x19b558:$a1: NanoCore.ClientPluginHost 0x1a5b67:$a1: NanoCore.ClientPluginHost 0x1aff92:$a1: NanoCore.ClientPluginHost
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69617:$a: NanoCore 0x69670:$a: NanoCore 0x696ad:$a: NanoCore 0x69726:$a: NanoCore 0x69679:$b: ClientPlugin 0x696b6:$b: ClientPlugin 0x69fb4:$b: ClientPlugin 0x69fc1:$b: ClientPlugin 0x5f795:$e: KeepAlive 0x69b01:$g: LogClientMessage 0x69a81:$i: get_Connected 0x59a4d:$j: #=q 0x59a7d:$j: #=q 0x59ab9:$j: #=q 0x59ae1:$j: #=q 0x59b11:$j: #=q 0x59b41:$j: #=q 0x59b71:$j: #=q 0x59ba1:$j: #=q 0x59bbd:$j: #=q 0x59bed:$j: #=q
00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x696ad:$a1: NanoCore.ClientPluginHost 0x69670:$a2: NanoCore.ClientPlugin 0x5af87:$b1: get_BuilderSettings 0x69a44:$b1: get_BuilderSettings 0x696fb:$b4: IClientAppHost 0x69ab5:$b6: AddHostEntry 0x5aef6:$b7: LogClientException 0x69b24:$b7: LogClientException 0x69a99:$b8: PipeExists 0x696e8:$b9: IClientLoggingHost
00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x557bf:$a: NanoCore 0x558a9:$a: NanoCore 0x56720:$a: NanoCore 0x5f8ca:$a: NanoCore 0x5f92b:$a: NanoCore 0x5f96e:$a: NanoCore 0x5f9ae:$a: NanoCore 0x5fbea:$a: NanoCore 0x5fc8a:$a: NanoCore 0x60462:$a: NanoCore 0x60a55:$a: NanoCore 0x60ba6:$a: NanoCore 0x61a00:$a: NanoCore 0x61c67:$a: NanoCore 0x61c7c:$a: NanoCore 0x61c9b:$a: NanoCore 0x6ab9e:$a: NanoCore 0x6abc7:$a: NanoCore 0x76940:$a: NanoCore 0x76969:$a: NanoCore 0x9b82c:$a: NanoCore
00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x557bf:$a1: NanoCore.ClientPluginHost 0x5fbea:$a1: NanoCore.ClientPluginHost 0x6abc7:$a1: NanoCore.ClientPluginHost 0x76969:$a1: NanoCore.ClientPluginHost 0x9b86d:$a1: NanoCore.ClientPluginHost 0xaacad:$a1: NanoCore.ClientPluginHost 0x558a9:$a2: NanoCore.ClientPlugin 0x5fc8a:$a2: NanoCore.ClientPlugin 0x6ab9e:$a2: NanoCore.ClientPlugin 0x76940:$a2: NanoCore.ClientPlugin 0x9b844:$a2: NanoCore.ClientPlugin 0xaac88:$a2: NanoCore.ClientPlugin 0xaac9e:$b4: IClientAppHost 0x57102:$b7: LogClientException 0x609e0:$b7: LogClientException 0x78cb2:$b7: LogClientException 0xa0898:$b7: LogClientException 0xaf18d:$b7: LogClientException 0x56715:$b8: PipeExists 0x557d9:$b9: IClientLoggingHost 0x5fc04:$b9: IClientLoggingHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc86dd:$x1: NanoCore.ClientPluginHost 0xc871a:$x2: IClientNetworkHost 0xcc24d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc8445:$a: NanoCore 0xc8455:$a: NanoCore 0xc8689:$a: NanoCore 0xc869d:$a: NanoCore 0xc86dd:$a: NanoCore 0xc84a4:$b: ClientPlugin 0xc86a6:$b: ClientPlugin 0xc86e6:$b: ClientPlugin 0xc85cb:$c: ProjectData 0xc8fd2:$d: DESCrypto 0xd099e:$e: KeepAlive 0xce98c:$g: LogClientMessage 0xcab87:$i: get_Connected 0xc9308:$j: #=q 0xc9338:$j: #=q 0xc9354:$j: #=q 0xc9384:$j: #=q 0xc93a0:$j: #=q 0xc93bc:$j: #=q 0xc93ec:$j: #=q 0xc9408:$j: #=q
00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xc86dd:$a1: NanoCore.ClientPluginHost 0xc869d:$a2: NanoCore.ClientPlugin 0xca5f6:$b1: get_BuilderSettings 0xc84f9:$b2: ClientLoaderForm.resources 0xc9d16:$b3: PluginCommand 0xc86ce:$b4: IClientAppHost 0xd2b4e:$b5: GetBlockHash 0xcac4e:$b6: AddHostEntry 0xce941:$b7: LogClientException 0xcabbb:$b8: PipeExists 0xc8707:$b9: IClientLoggingHost
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27b0b:$a1: NanoCore.ClientPluginHost 0x27ae2:$a2: NanoCore.ClientPlugin 0x2cb36:$b7: LogClientException 0x27af8:$b9: IClientLoggingHost
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f5b5:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694cd:$a1: NanoCore.ClientPluginHost 0x69490:$a2: NanoCore.ClientPlugin 0x5ada7:$b1: get_BuilderSettings 0x69864:$b1: get_BuilderSettings 0x6951b:$b4: IClientAppHost 0x698d5:$b6: AddHostEntry 0x5ad16:$b7: LogClientException 0x69944:$b7: LogClientException 0x698b9:$b8: PipeExists 0x69508:$b9: IClientLoggingHost
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bda3:$a: NanoCore 0x3bdfc:$a: NanoCore 0x3be39:$a: NanoCore 0x3beb2:$a: NanoCore 0x50816:$a: NanoCore 0x5083b:$a: NanoCore 0x50894:$a: NanoCore 0x60aaf:$a: NanoCore 0x60ad5:$a: NanoCore 0x60b31:$a: NanoCore 0x3be05:$b: ClientPlugin 0x3be42:$b: ClientPlugin 0x3c740:$b: ClientPlugin 0x3c74d:$b: ClientPlugin 0x5060d:$b: ClientPlugin 0x5061e:$b: ClientPlugin 0x5064e:$b: ClientPlugin 0x5081f:$b: ClientPlugin 0x50844:$b: ClientPlugin 0x607eb:$b: ClientPlugin 0x60802:$b: ClientPlugin
00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3be39:$a1: NanoCore.ClientPluginHost 0x5083b:$a1: NanoCore.ClientPluginHost 0x60ad5:$a1: NanoCore.ClientPluginHost 0x3bdfc:$a2: NanoCore.ClientPlugin 0x50816:$a2: NanoCore.ClientPlugin 0x60aaf:$a2: NanoCore.ClientPlugin 0x3c1d0:$b1: get_BuilderSettings 0x541d8:$b1: get_BuilderSettings 0x3be87:$b4: IClientAppHost 0x5082c:$b4: IClientAppHost 0x3c241:$b6: AddHostEntry 0x3c2b0:$b7: LogClientException 0x3c225:$b8: PipeExists 0x3be74:$b9: IClientLoggingHost 0x60aef:$b9: IClientLoggingHost
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2153dd:$x1: NanoCore.ClientPluginHost 0x21541a:$x2: IClientNetworkHost 0x218f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x215145:$a: NanoCore 0x215155:$a: NanoCore 0x215389:$a: NanoCore 0x21539d:$a: NanoCore 0x2153dd:$a: NanoCore 0x2151a4:$b: ClientPlugin 0x2153a6:$b: ClientPlugin 0x2153e6:$b: ClientPlugin 0x2152cb:$c: ProjectData 0x32d4a9:$c: ProjectData 0x36fe81:$c: ProjectData 0x215cd2:$d: DESCrypto 0x21d69e:$e: KeepAlive 0x21b68c:$g: LogClientMessage 0x217887:$i: get_Connected 0x216008:$j: #=q 0x216038:$j: #=q 0x216054:$j: #=q 0x216084:$j: #=q 0x2160a0:$j: #=q 0x2160bc:$j: #=q
00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2153dd:$a1: NanoCore.ClientPluginHost 0x21539d:$a2: NanoCore.ClientPlugin 0x2172f6:$b1: get_BuilderSettings 0x2151f9:$b2: ClientLoaderForm.resources 0x216a16:$b3: PluginCommand 0x2153ce:$b4: IClientAppHost 0x21f84e:$b5: GetBlockHash 0x21794e:$b6: AddHostEntry 0x21b641:$b7: LogClientException 0x2178bb:$b8: PipeExists 0x215407:$b9: IClientLoggingHost
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x128be3:$x1: NanoCore.ClientPluginHost 0x1ac19e:$x1: NanoCore.ClientPluginHost 0x128c20:$x2: IClientNetworkHost 0x1ac1db:$x2: IClientNetworkHost 0x12c711:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x137797:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1af940:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ba8ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x126ed8:$s5: AEAAAAMAAQqVT 0x50090:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x104113:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x126e49:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1f28f3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1288b0:$a: NanoCore 0x1288c0:$a: NanoCore 0x12897f:$a: NanoCore 0x12898e:$a: NanoCore 0x128b8f:$a: NanoCore 0x128ba3:$a: NanoCore 0x128be3:$a: NanoCore 0x133e01:$a: NanoCore 0x133e13:$a: NanoCore 0x133e4f:$a: NanoCore 0x1abeb5:$a: NanoCore 0x1abec5:$a: NanoCore 0x1abf3a:$a: NanoCore 0x1abf49:$a: NanoCore 0x1ac14a:$a: NanoCore 0x1ac15e:$a: NanoCore 0x1ac19e:$a: NanoCore 0x1b6f16:$a: NanoCore 0x1b6f28:$a: NanoCore 0x1b6f64:$a: NanoCore 0x12890f:$b: ClientPlugin
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x128be3:$a1: NanoCore.ClientPluginHost 0x1ac19e:$a1: NanoCore.ClientPluginHost 0x128ba3:$a2: NanoCore.ClientPlugin 0x1ac15e:$a2: NanoCore.ClientPlugin 0x12aaba:$b1: get_BuilderSettings 0x1adcf0:$b1: get_BuilderSettings 0x128964:$b2: ClientLoaderForm.resources 0x1abf1f:$b2: ClientLoaderForm.resources 0x12a1da:$b3: PluginCommand 0x1ad426:$b3: PluginCommand 0x128bd4:$b4: IClientAppHost 0x1ac18f:$b4: IClientAppHost 0x13300d:$b5: GetBlockHash 0x1b623c:$b5: GetBlockHash 0x12b112:$b6: AddHostEntry 0x136231:$b6: AddHostEntry 0x1ae341:$b6: AddHostEntry 0x1b9346:$b6: AddHostEntry 0x12ee05:$b7: LogClientException 0x139d72:$b7: LogClientException 0x1b2034:$b7: LogClientException
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe1ea:$x1: NanoCore.ClientPluginHost 0x1a7f4:$x1: NanoCore.ClientPluginHost 0x20f9d:$x1: NanoCore.ClientPluginHost 0x28fc0:$x1: NanoCore.ClientPluginHost 0x49a28:$x1: NanoCore.ClientPluginHost 0xd345d:$x1: NanoCore.ClientPluginHost 0xd7927:$x1: NanoCore.ClientPluginHost 0xf1e78:$x1: NanoCore.ClientPluginHost 0x11be61:$x1: NanoCore.ClientPluginHost 0x13f8f5:$x1: NanoCore.ClientPluginHost 0x17688a:$x1: NanoCore.ClientPluginHost 0x1893ea:$x1: NanoCore.ClientPluginHost 0x1939ac:$x1: NanoCore.ClientPluginHost 0x1a74a9:$x1: NanoCore.ClientPluginHost 0x1ac79f:$x1: NanoCore.ClientPluginHost 0x1c2cd9:$x1: NanoCore.ClientPluginHost 0x1c8368:$x1: NanoCore.ClientPluginHost 0x1d9469:$x1: NanoCore.ClientPluginHost 0x2116c0:$x1: NanoCore.ClientPluginHost 0xe204:$x2: IClientNetworkHost 0x1a80e:$x2: IClientNetworkHost
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe1a9:$a: NanoCore 0xe1c1:$a: NanoCore 0xe1ea:$a: NanoCore 0x12fe2:$a: NanoCore 0x12ff8:$a: NanoCore 0x1301f:$a: NanoCore 0x1a7cb:$a: NanoCore 0x1a7f4:$a: NanoCore 0x1cce9:$a: NanoCore 0x1cd10:$a: NanoCore 0x20f9d:$a: NanoCore 0x21017:$a: NanoCore 0x21de6:$a: NanoCore 0x21e59:$a: NanoCore 0x28f9b:$a: NanoCore 0x28fc0:$a: NanoCore 0x29019:$a: NanoCore 0x2cab5:$a: NanoCore 0x2cad8:$a: NanoCore 0x2cb2d:$a: NanoCore 0x420c9:$a: NanoCore
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe1ea:$a1: NanoCore.ClientPluginHost 0x1a7f4:$a1: NanoCore.ClientPluginHost 0x20f9d:$a1: NanoCore.ClientPluginHost 0x28fc0:$a1: NanoCore.ClientPluginHost 0x49a28:$a1: NanoCore.ClientPluginHost 0xd345d:$a1: NanoCore.ClientPluginHost 0xd7927:$a1: NanoCore.ClientPluginHost 0xf1e78:$a1: NanoCore.ClientPluginHost 0x11be61:$a1: NanoCore.ClientPluginHost 0x13f8f5:$a1: NanoCore.ClientPluginHost 0x17688a:$a1: NanoCore.ClientPluginHost 0x1893ea:$a1: NanoCore.ClientPluginHost 0x1939ac:$a1: NanoCore.ClientPluginHost 0x1a74a9:$a1: NanoCore.ClientPluginHost 0x1ac79f:$a1: NanoCore.ClientPluginHost 0x1c2cd9:$a1: NanoCore.ClientPluginHost 0x1c8368:$a1: NanoCore.ClientPluginHost 0x1d9469:$a1: NanoCore.ClientPluginHost 0x2116c0:$a1: NanoCore.ClientPluginHost 0xe1c1:$a2: NanoCore.ClientPlugin 0x1a7cb:$a2: NanoCore.ClientPlugin
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x8f3e:$s5: AEAAAAMAAQqVT 0x8eaf:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2570c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 1680	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x2cb21:$s5: AEAAAAMAAQqVT 0x202d5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2ca92:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 1680	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 2068	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x2cd64:$s5: AEAAAAMAAQqVT 0x56b3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2ccd5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 2068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5e65:$a: NanoCore 0x5ebe:$a: NanoCore 0x5efb:$a: NanoCore 0x5f74:$a: NanoCore 0x682d:$a: NanoCore 0x6880:$a: NanoCore 0x68b9:$a: NanoCore 0x692c:$a: NanoCore 0xdefe:$a: NanoCore 0xdf11:$a: NanoCore 0xdf43:$a: NanoCore 0x13c27:$a: NanoCore 0x13c3a:$a: NanoCore 0x13c6c:$a: NanoCore 0x1920e:$a: NanoCore 0x1926a:$a: NanoCore 0x192ea:$a: NanoCore 0x2ea7e:$a: NanoCore 0x2ead7:$a: NanoCore 0x2eb14:$a: NanoCore 0x2eb8d:$a: NanoCore
Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5efb:$a1: NanoCore.ClientPluginHost 0x2eb14:$a1: NanoCore.ClientPluginHost 0x5ebe:$a2: NanoCore.ClientPlugin 0x2ead7:$a2: NanoCore.ClientPlugin 0x6275:$b1: get_BuilderSettings 0x28269:$b1: get_BuilderSettings 0x5f49:$b4: IClientAppHost 0x2eb62:$b4: IClientAppHost 0x62e6:$b6: AddHostEntry 0x2ee75:$b6: AddHostEntry 0x6355:$b7: LogClientException 0x281d8:$b7: LogClientException 0x62ca:$b8: PipeExists 0x2ee59:$b8: PipeExists 0x5f36:$b9: IClientLoggingHost 0x2eb4f:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 1276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 1276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4080:$a: NanoCore 0xaba9:$a: NanoCore 0xabbd:$a: NanoCore 0xb888:$a: NanoCore 0x14b99:$a: NanoCore 0x14bf5:$a: NanoCore 0x14c7d:$a: NanoCore 0x2a6a0:$a: NanoCore 0x2a6f9:$a: NanoCore 0x2a736:$a: NanoCore 0x2a7af:$a: NanoCore 0x2af3d:$a: NanoCore 0x2af90:$a: NanoCore 0x2afc9:$a: NanoCore 0x2b03c:$a: NanoCore 0x2bbfe:$a: NanoCore 0x25a03:$b: ClientPlugin 0x25a44:$b: ClientPlugin 0x2a702:$b: ClientPlugin 0x2a73f:$b: ClientPlugin 0x2aeed:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 1276	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2a736:$a1: NanoCore.ClientPluginHost 0x2a6f9:$a2: NanoCore.ClientPlugin 0x23e8b:$b1: get_BuilderSettings 0x2a784:$b4: IClientAppHost 0x2aa97:$b6: AddHostEntry 0x23dfa:$b7: LogClientException 0x2aa7b:$b8: PipeExists 0x2a771:$b9: IClientLoggingHost
Click to see the 107 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x921c:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x921c:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x92fa:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost 0x9236:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x9266:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x921c:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x927c:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x9236:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x8ff9:$s1: ClientPlugin 0x926f:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x921c:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x9266:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost 0x9236:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.dhcpmon.exe.32d9658.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
18.2.dhcpmon.exe.32d9658.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3875:$x1: NanoCore.ClientPluginHost 0x38ae:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3875:$x2: NanoCore.ClientPluginHost 0x3990:$s4: PipeCreated 0x388f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x38ef:$x2: NanoCore.ClientPlugin 0x3875:$x3: NanoCore.ClientPluginHost 0x3905:$i3: IClientNetwork 0x388f:$i6: IClientLoggingHost 0x38ae:$i7: IClientNetworkHost 0x360f:$s1: ClientPlugin 0x38f8:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3875:$a1: NanoCore.ClientPluginHost 0x38ef:$a2: NanoCore.ClientPlugin 0x4010:$b7: LogClientException 0x388f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x15877:$x1: NanoCore.ClientPluginHost 0x25b11:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x158a1:$x2: IClientNetworkHost 0x25b3e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x15877:$x2: NanoCore.ClientPluginHost 0x25b11:$x2: NanoCore.ClientPluginHost 0x26ae0:$s2: FileCommand 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x17727:$s4: PipeCreated 0x2b4e2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x25b2b:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x15852:$x2: NanoCore.ClientPlugin 0x25aeb:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x15877:$x3: NanoCore.ClientPluginHost 0x25b11:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x15843:$i3: IClientNetwork 0x25adc:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0x15868:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x15891:$i5: IClientDataHost 0x25b01:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x25b2b:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x158a1:$i7: IClientNetworkHost 0x25b3e:$i7: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x15852:$a: NanoCore 0x15877:$a: NanoCore 0x158d0:$a: NanoCore 0x25aeb:$a: NanoCore 0x25b11:$a: NanoCore 0x25b6d:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x15649:$b: ClientPlugin 0x1565a:$b: ClientPlugin 0x1568a:$b: ClientPlugin 0x1585b:$b: ClientPlugin 0x15880:$b: ClientPlugin 0x25827:$b: ClientPlugin 0x2583e:$b: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x15877:$a1: NanoCore.ClientPluginHost 0x25b11:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x15852:$a2: NanoCore.ClientPlugin 0x25aeb:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19214:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x15868:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x25b2b:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e55:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e82:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e55:$x2: NanoCore.ClientPluginHost 0x15e24:$s2: FileCommand 0x6a6b:$s4: PipeCreated 0x1a826:$s4: PipeCreated 0x14e6f:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e2f:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e55:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x14e20:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x14e45:$i5: IClientDataHost 0x14e6f:$i6: IClientLoggingHost 0x4be5:$i7: IClientNetworkHost 0x14e82:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x14e95:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin 0x14bb2:$s1: ClientPlugin 0x14e38:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14e55:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14e2f:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost 0x14e6f:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0x7675:$x1: NanoCore.ClientPluginHost 0x11cc7:$x1: NanoCore.ClientPluginHost 0x1c137:$x1: NanoCore.ClientPluginHost 0x2715d:$x1: NanoCore.ClientPluginHost 0x32f47:$x1: NanoCore.ClientPluginHost 0x3ed06:$x1: NanoCore.ClientPluginHost 0x76ae:$x2: IClientNetworkHost 0x11e24:$x2: IClientNetworkHost 0x1c170:$x2: IClientNetworkHost 0x27177:$x2: IClientNetworkHost 0x32f61:$x2: IClientNetworkHost 0x3ed43:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x7675:$x2: NanoCore.ClientPluginHost 0x11cc7:$x2: NanoCore.ClientPluginHost 0x1c137:$x2: NanoCore.ClientPluginHost 0x2715d:$x2: NanoCore.ClientPluginHost 0x32f47:$x2: NanoCore.ClientPluginHost 0x3ed06:$x2: NanoCore.ClientPluginHost 0x12c1d:$s3: PipeExists 0x1486:$s4: PipeCreated 0x7790:$s4: PipeCreated 0x11ebd:$s4: PipeCreated 0x1c282:$s4: PipeCreated 0x28192:$s4: PipeCreated 0x34cf2:$s4: PipeCreated 0x42159:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost 0x768f:$s5: IClientLoggingHost 0x11ce1:$s5: IClientLoggingHost 0x1c151:$s5: IClientLoggingHost 0x2714a:$s5: IClientLoggingHost 0x32f34:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x76ef:$x2: NanoCore.ClientPlugin 0x11db1:$x2: NanoCore.ClientPlugin 0x1c1d7:$x2: NanoCore.ClientPlugin 0x27134:$x2: NanoCore.ClientPlugin 0x32f1e:$x2: NanoCore.ClientPlugin 0x3ece1:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x7675:$x3: NanoCore.ClientPluginHost 0x11cc7:$x3: NanoCore.ClientPluginHost 0x1c137:$x3: NanoCore.ClientPluginHost 0x2715d:$x3: NanoCore.ClientPluginHost 0x32f47:$x3: NanoCore.ClientPluginHost 0x3ed06:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x7705:$i3: IClientNetwork 0x11dc7:$i3: IClientNetwork 0x1c1ed:$i3: IClientNetwork 0x27125:$i3: IClientNetwork 0x32f0f:$i3: IClientNetwork 0x3ecd2:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7675:$a: NanoCore 0x76ef:$a: NanoCore 0x11cc7:$a: NanoCore 0x11db1:$a: NanoCore 0x12c28:$a: NanoCore 0x1be17:$a: NanoCore 0x1be78:$a: NanoCore 0x1bebb:$a: NanoCore 0x1befb:$a: NanoCore 0x1c137:$a: NanoCore 0x1c1d7:$a: NanoCore 0x1c9af:$a: NanoCore 0x1cfa2:$a: NanoCore 0x1d0f3:$a: NanoCore 0x1df4d:$a: NanoCore 0x1e1b4:$a: NanoCore 0x1e1c9:$a: NanoCore 0x1e1e8:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x7675:$a1: NanoCore.ClientPluginHost 0x11cc7:$a1: NanoCore.ClientPluginHost 0x1c137:$a1: NanoCore.ClientPluginHost 0x2715d:$a1: NanoCore.ClientPluginHost 0x32f47:$a1: NanoCore.ClientPluginHost 0x3ed06:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x76ef:$a2: NanoCore.ClientPlugin 0x11db1:$a2: NanoCore.ClientPlugin 0x1c1d7:$a2: NanoCore.ClientPlugin 0x27134:$a2: NanoCore.ClientPlugin 0x32f1e:$a2: NanoCore.ClientPlugin 0x3ece1:$a2: NanoCore.ClientPlugin 0x3ecf7:$b4: IClientAppHost 0x7e10:$b7: LogClientException 0x1360a:$b7: LogClientException 0x1cf2d:$b7: LogClientException 0x35290:$b7: LogClientException 0x431e6:$b7: LogClientException 0x12c1d:$b8: PipeExists
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0xcc1c:$x1: NanoCore.ClientPluginHost 0x12ee9:$x1: NanoCore.ClientPluginHost 0x1d53b:$x1: NanoCore.ClientPluginHost 0x279ab:$x1: NanoCore.ClientPluginHost 0x329d1:$x1: NanoCore.ClientPluginHost 0x3e7bb:$x1: NanoCore.ClientPluginHost 0x4a57a:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost 0x12f22:$x2: IClientNetworkHost 0x1d698:$x2: IClientNetworkHost 0x279e4:$x2: IClientNetworkHost 0x329eb:$x2: IClientNetworkHost 0x3e7d5:$x2: IClientNetworkHost 0x4a5b7:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0xcc1c:$x2: NanoCore.ClientPluginHost 0x12ee9:$x2: NanoCore.ClientPluginHost 0x1d53b:$x2: NanoCore.ClientPluginHost 0x279ab:$x2: NanoCore.ClientPluginHost 0x329d1:$x2: NanoCore.ClientPluginHost 0x3e7bb:$x2: NanoCore.ClientPluginHost 0x4a57a:$x2: NanoCore.ClientPluginHost 0x1e491:$s3: PipeExists 0x5c0f:$s4: PipeCreated 0xccfa:$s4: PipeCreated 0x13004:$s4: PipeCreated 0x1d731:$s4: PipeCreated 0x27af6:$s4: PipeCreated 0x33a06:$s4: PipeCreated 0x40566:$s4: PipeCreated 0x4d9cd:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost 0xcc36:$s5: IClientLoggingHost 0x12f03:$s5: IClientLoggingHost 0x1d555:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0xcc66:$x2: NanoCore.ClientPlugin 0x12f63:$x2: NanoCore.ClientPlugin 0x1d625:$x2: NanoCore.ClientPlugin 0x27a4b:$x2: NanoCore.ClientPlugin 0x329a8:$x2: NanoCore.ClientPlugin 0x3e792:$x2: NanoCore.ClientPlugin 0x4a555:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0xcc1c:$x3: NanoCore.ClientPluginHost 0x12ee9:$x3: NanoCore.ClientPluginHost 0x1d53b:$x3: NanoCore.ClientPluginHost 0x279ab:$x3: NanoCore.ClientPluginHost 0x329d1:$x3: NanoCore.ClientPluginHost 0x3e7bb:$x3: NanoCore.ClientPluginHost 0x4a57a:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0xcc7c:$i3: IClientNetwork 0x12f79:$i3: IClientNetwork 0x1d63b:$i3: IClientNetwork 0x27a61:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b0b:$a: NanoCore 0x5b87:$a: NanoCore 0x846a:$a: NanoCore 0xcc1c:$a: NanoCore 0xcc66:$a: NanoCore 0xd8c0:$a: NanoCore 0x12ee9:$a: NanoCore 0x12f63:$a: NanoCore 0x1d53b:$a: NanoCore 0x1d625:$a: NanoCore 0x1e49c:$a: NanoCore 0x2768b:$a: NanoCore 0x276ec:$a: NanoCore 0x2772f:$a: NanoCore 0x2776f:$a: NanoCore 0x279ab:$a: NanoCore 0x27a4b:$a: NanoCore 0x28223:$a: NanoCore 0x28816:$a: NanoCore 0x28967:$a: NanoCore 0x297c1:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0xcc1c:$a1: NanoCore.ClientPluginHost 0x12ee9:$a1: NanoCore.ClientPluginHost 0x1d53b:$a1: NanoCore.ClientPluginHost 0x279ab:$a1: NanoCore.ClientPluginHost 0x329d1:$a1: NanoCore.ClientPluginHost 0x3e7bb:$a1: NanoCore.ClientPluginHost 0x4a57a:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0xcc66:$a2: NanoCore.ClientPlugin 0x12f63:$a2: NanoCore.ClientPlugin 0x1d625:$a2: NanoCore.ClientPlugin 0x27a4b:$a2: NanoCore.ClientPlugin 0x329a8:$a2: NanoCore.ClientPlugin 0x3e792:$a2: NanoCore.ClientPlugin 0x4a555:$a2: NanoCore.ClientPlugin 0x4a56b:$b4: IClientAppHost 0x6710:$b7: LogClientException 0x13684:$b7: LogClientException 0x1ee7e:$b7: LogClientException 0x287a1:$b7: LogClientException
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x12688:$x1: NanoCore.ClientPluginHost 0x18955:$x1: NanoCore.ClientPluginHost 0x22fa7:$x1: NanoCore.ClientPluginHost 0x2d417:$x1: NanoCore.ClientPluginHost 0x3843d:$x1: NanoCore.ClientPluginHost 0x44227:$x1: NanoCore.ClientPluginHost 0x4ffe6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1898e:$x2: IClientNetworkHost 0x23104:$x2: IClientNetworkHost 0x2d450:$x2: IClientNetworkHost 0x38457:$x2: IClientNetworkHost 0x44241:$x2: IClientNetworkHost 0x50023:$x2: IClientNetworkHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x12688:$x2: NanoCore.ClientPluginHost 0x18955:$x2: NanoCore.ClientPluginHost 0x22fa7:$x2: NanoCore.ClientPluginHost 0x2d417:$x2: NanoCore.ClientPluginHost 0x3843d:$x2: NanoCore.ClientPluginHost 0x44227:$x2: NanoCore.ClientPluginHost 0x4ffe6:$x2: NanoCore.ClientPluginHost 0x23efd:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x12766:$s4: PipeCreated 0x18a70:$s4: PipeCreated 0x2319d:$s4: PipeCreated 0x2d562:$s4: PipeCreated 0x39472:$s4: PipeCreated 0x45fd2:$s4: PipeCreated 0x53439:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5f3:$x2: NanoCore.ClientPlugin 0x126d2:$x2: NanoCore.ClientPlugin 0x189cf:$x2: NanoCore.ClientPlugin 0x23091:$x2: NanoCore.ClientPlugin 0x2d4b7:$x2: NanoCore.ClientPlugin 0x38414:$x2: NanoCore.ClientPlugin 0x441fe:$x2: NanoCore.ClientPlugin 0x4ffc1:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb577:$x3: NanoCore.ClientPluginHost 0x12688:$x3: NanoCore.ClientPluginHost 0x18955:$x3: NanoCore.ClientPluginHost 0x22fa7:$x3: NanoCore.ClientPluginHost 0x2d417:$x3: NanoCore.ClientPluginHost 0x3843d:$x3: NanoCore.ClientPluginHost 0x44227:$x3: NanoCore.ClientPluginHost 0x4ffe6:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb609:$i3: IClientNetwork 0x126e8:$i3: IClientNetwork
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x12688:$a: NanoCore 0x126d2:$a: NanoCore 0x1332c:$a: NanoCore 0x18955:$a: NanoCore 0x189cf:$a: NanoCore 0x22fa7:$a: NanoCore 0x23091:$a: NanoCore 0x23f08:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb577:$a1: NanoCore.ClientPluginHost 0x12688:$a1: NanoCore.ClientPluginHost 0x18955:$a1: NanoCore.ClientPluginHost 0x22fa7:$a1: NanoCore.ClientPluginHost 0x2d417:$a1: NanoCore.ClientPluginHost 0x3843d:$a1: NanoCore.ClientPluginHost 0x44227:$a1: NanoCore.ClientPluginHost 0x4ffe6:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5f3:$a2: NanoCore.ClientPlugin 0x126d2:$a2: NanoCore.ClientPlugin 0x189cf:$a2: NanoCore.ClientPlugin 0x23091:$a2: NanoCore.ClientPlugin 0x2d4b7:$a2: NanoCore.ClientPlugin 0x38414:$a2: NanoCore.ClientPlugin 0x441fe:$a2: NanoCore.ClientPlugin 0x4ffc1:$a2: NanoCore.ClientPlugin 0x4ffd7:$b4: IClientAppHost 0xc17c:$b7: LogClientException 0x190f0:$b7: LogClientException
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x32eaf:$x2: NanoCore.ClientPlugin 0x3916a:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xa1e71:$x2: NanoCore.ClientPlugin 0xb55e7:$x2: NanoCore.ClientPlugin 0xc3231:$x2: NanoCore.ClientPlugin 0xd344c:$x2: NanoCore.ClientPlugin 0xe0657:$x2: NanoCore.ClientPlugin 0xe5d18:$x2: NanoCore.ClientPlugin 0xebfd1:$x2: NanoCore.ClientPlugin 0xf6650:$x2: NanoCore.ClientPlugin 0x100a31:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x32e65:$a1: NanoCore.ClientPluginHost 0x390f0:$a1: NanoCore.ClientPluginHost 0x43701:$a1: NanoCore.ClientPluginHost 0x4db2e:$a1: NanoCore.ClientPluginHost 0x58b0d:$a1: NanoCore.ClientPluginHost 0x648b1:$a1: NanoCore.ClientPluginHost 0x897b7:$a1: NanoCore.ClientPluginHost 0x98bf9:$a1: NanoCore.ClientPluginHost 0xa1eae:$a1: NanoCore.ClientPluginHost 0xb561c:$a1: NanoCore.ClientPluginHost 0xc3256:$a1: NanoCore.ClientPluginHost 0xd3472:$a1: NanoCore.ClientPluginHost 0xe05db:$a1: NanoCore.ClientPluginHost 0xe5cce:$a1: NanoCore.ClientPluginHost 0xebf57:$a1: NanoCore.ClientPluginHost 0xf6566:$a1: NanoCore.ClientPluginHost 0x100991:$a1: NanoCore.ClientPluginHost
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1329dd:$x1: NanoCore.ClientPluginHost 0x132a1a:$x2: IClientNetworkHost 0x13654d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x132745:$x1: NanoCore Client 0x132755:$x1: NanoCore Client 0x13299d:$x2: NanoCore.ClientPlugin 0x1329dd:$x3: NanoCore.ClientPluginHost 0x132992:$i1: IClientApp 0x1329b3:$i2: IClientData 0x1329bf:$i3: IClientNetwork 0x1329ce:$i4: IClientAppHost 0x1329f7:$i5: IClientDataHost 0x132a07:$i6: IClientLoggingHost 0x132a1a:$i7: IClientNetworkHost 0x132a2d:$i8: IClientUIHost 0x132a3b:$i9: IClientNameObjectCollection 0x132a57:$i10: IClientReadOnlyNameObjectCollection 0x1327a4:$s1: ClientPlugin 0x1329a6:$s1: ClientPlugin 0x132e9a:$s2: EndPoint 0x132ea3:$s3: IPAddress 0x132ead:$s4: IPEndPoint 0x1348e3:$s6: get_ClientSettings 0x134e87:$s7: get_Connected
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x132745:$a: NanoCore 0x132755:$a: NanoCore 0x132989:$a: NanoCore 0x13299d:$a: NanoCore 0x1329dd:$a: NanoCore 0x1327a4:$b: ClientPlugin 0x1329a6:$b: ClientPlugin 0x1329e6:$b: ClientPlugin 0x1328cb:$c: ProjectData 0x24aaa9:$c: ProjectData 0x28d481:$c: ProjectData 0x1332d2:$d: DESCrypto 0x13ac9e:$e: KeepAlive 0x138c8c:$g: LogClientMessage 0x134e87:$i: get_Connected 0x133608:$j: #=q 0x133638:$j: #=q 0x133654:$j: #=q 0x133684:$j: #=q 0x1336a0:$j: #=q 0x1336bc:$j: #=q
0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1329dd:$a1: NanoCore.ClientPluginHost 0x13299d:$a2: NanoCore.ClientPlugin 0x1348f6:$b1: get_BuilderSettings 0x1327f9:$b2: ClientLoaderForm.resources 0x134016:$b3: PluginCommand 0x1329ce:$b4: IClientAppHost 0x13ce4e:$b5: GetBlockHash 0x134f4e:$b6: AddHostEntry 0x138c41:$b7: LogClientException 0x134ebb:$b8: PipeExists 0x132a07:$b9: IClientLoggingHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x1264e:$x2: NanoCore.ClientPlugin 0x18909:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x81610:$x2: NanoCore.ClientPlugin 0x94d86:$x2: NanoCore.ClientPlugin 0xa29d0:$x2: NanoCore.ClientPlugin 0xb2beb:$x2: NanoCore.ClientPlugin 0xbfdf6:$x2: NanoCore.ClientPlugin 0xc54b7:$x2: NanoCore.ClientPlugin 0xcb770:$x2: NanoCore.ClientPlugin 0xd5def:$x2: NanoCore.ClientPlugin 0xe01d0:$x2: NanoCore.ClientPlugin 0xeb0e4:$x2: NanoCore.ClientPlugin 0xf6e86:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x12604:$a1: NanoCore.ClientPluginHost 0x1888f:$a1: NanoCore.ClientPluginHost 0x22ea0:$a1: NanoCore.ClientPluginHost 0x2d2cd:$a1: NanoCore.ClientPluginHost 0x382ac:$a1: NanoCore.ClientPluginHost 0x44050:$a1: NanoCore.ClientPluginHost 0x68f56:$a1: NanoCore.ClientPluginHost 0x78398:$a1: NanoCore.ClientPluginHost 0x8164d:$a1: NanoCore.ClientPluginHost 0x94dbb:$a1: NanoCore.ClientPluginHost 0xa29f5:$a1: NanoCore.ClientPluginHost 0xb2c11:$a1: NanoCore.ClientPluginHost 0xbfd7a:$a1: NanoCore.ClientPluginHost 0xc546d:$a1: NanoCore.ClientPluginHost 0xcb6f6:$a1: NanoCore.ClientPluginHost 0xd5d05:$a1: NanoCore.ClientPluginHost 0xe0130:$a1: NanoCore.ClientPluginHost 0xeb10d:$a1: NanoCore.ClientPluginHost 0xf6eaf:$a1: NanoCore.ClientPluginHost
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x26c7b:$x2: NanoCore.ClientPlugin 0x2cf36:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0x95c3d:$x2: NanoCore.ClientPlugin 0xa93b3:$x2: NanoCore.ClientPlugin 0xb6ffd:$x2: NanoCore.ClientPlugin 0xc7218:$x2: NanoCore.ClientPlugin 0xd4423:$x2: NanoCore.ClientPlugin 0xd9ae4:$x2: NanoCore.ClientPlugin 0xdfd9d:$x2: NanoCore.ClientPlugin 0xea41c:$x2: NanoCore.ClientPlugin 0xf47fd:$x2: NanoCore.ClientPlugin 0xff711:$x2: NanoCore.ClientPlugin
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x26c31:$a1: NanoCore.ClientPluginHost 0x2cebc:$a1: NanoCore.ClientPluginHost 0x374cd:$a1: NanoCore.ClientPluginHost 0x418fa:$a1: NanoCore.ClientPluginHost 0x4c8d9:$a1: NanoCore.ClientPluginHost 0x5867d:$a1: NanoCore.ClientPluginHost 0x7d583:$a1: NanoCore.ClientPluginHost 0x8c9c5:$a1: NanoCore.ClientPluginHost 0x95c7a:$a1: NanoCore.ClientPluginHost 0xa93e8:$a1: NanoCore.ClientPluginHost 0xb7022:$a1: NanoCore.ClientPluginHost 0xc723e:$a1: NanoCore.ClientPluginHost 0xd43a7:$a1: NanoCore.ClientPluginHost 0xd9a9a:$a1: NanoCore.ClientPluginHost 0xdfd23:$a1: NanoCore.ClientPluginHost 0xea332:$a1: NanoCore.ClientPluginHost 0xf475d:$a1: NanoCore.ClientPluginHost 0xff73a:$a1: NanoCore.ClientPluginHost
Click to see the 267 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ProcessId: 4128, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" , ParentImage: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ParentProcessId: 3256, ParentProcessName: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp, ProcessId: 1592, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 37.139.129.71 - Destination IP: 192.168.2.4

Timestamp:	37.139.129.71192.168.2.47712496982841753 10/01/22-12:42:35.121312
SID:	2841753
Source Port:	7712
Destination Port:	49698
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 37.139.129.71

Timestamp:	192.168.2.437.139.129.714969877122025019 10/01/22-12:42:30.424505
SID:	2025019
Source Port:	49698
Destination Port:	7712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 37.139.129.71

Timestamp:	192.168.2.437.139.129.714969877122816766 10/01/22-12:42:35.951752
SID:	2816766
Source Port:	49698
Destination Port:	7712
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	ReversingLabs: Detection: 34%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Virustotal: Detection: 30%			Perma Link

Antivirus detection for URL or domain

Source: godisgood1.hopto.org	Avira URL Cloud: Label: malware
Source: 185.225.73.164	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: godisgood1.hopto.org	Virustotal: Detection: 13%			Perma Link
Source: godisgood1.hopto.org	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\JLsbuY.exe	ReversingLabs: Detection: 36%

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Machine Learning detection for sample

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\JLsbuY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	Avira: Label: TR/NanoCore.fadte
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bcd7727e-ef56-4958-8ed9-949f5c5e", "Group": "Default", "Domain1": "godisgood1.hopto.org", "Domain2": "185.225.73.164", "Port": 7712, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Code function: 4x nop then lea esp, dword ptr [ebp-04h]

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 37.139.129.71:7712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 37.139.129.71:7712
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 37.139.129.71:7712 -> 192.168.2.4:49698

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: godisgood1.hopto.org
Source: Malware configuration extractor	URLs: 185.225.73.164

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

IP Address: 37.139.129.71 37.139.129.71

Source: global traffic

TCP traffic: 192.168.2.4:49698 -> 37.139.129.71:7712

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303119536.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000A.00000002.480986509.0000000002974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.~SBIm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312451749.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311387611.0000000005518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFV
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcomFH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdd
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comepkoH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comS
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comibi
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comic
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303629841.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comical
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.c
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307654597.000000000551B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307572542.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#H4
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307564401.0000000005514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/om
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnT
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnoH%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-f
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsH
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303715113.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303588332.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303452217.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303515704.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comn-u
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krXH.
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krend
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comc
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304268623.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304202190.000000000552B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comn
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deJ(
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.derT
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: godisgood1.hopto.org

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.345324035.000000000092B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

.NET source code contains very large strings

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, MRU.cs	Long String: Length: 129663
Source: JLsbuY.exe.0.dr, MRU.cs	Long String: Length: 129663
Source: 0.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.110000.0.unpack, MRU.cs	Long String: Length: 129663
Source: dhcpmon.exe.3.dr, MRU.cs	Long String: Length: 129663

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2eb9838.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 18.2.dhcpmon.exe.32d9658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39ce5cf.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7010000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d0a1ff.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5050000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6fe0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cc0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d0000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6540000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5cd0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72c0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.29fbfc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d1302e.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72a0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6ff0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.6e80000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72d4c9f.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3d2145e.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a18f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7310000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.72de8a4.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a0cc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39c9930.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.7000000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.39d81d4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a79658.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a6dde4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.2a68378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 1680, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 2068, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248E710
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248E720
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_0248C414
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_06CEE6B0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0E480
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0E471
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04E0BBD4
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F5F5F8
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F59788
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F5A610
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06579238
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06570040
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06577F78
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_06578CB0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_065792F6

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	ReversingLabs: Detection: 34%
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File read: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Jump to behavior

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe"
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Users\user\AppData\Roaming\JLsbuY.exe

Jump to behavior

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@3/1

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{bcd7727e-ef56-4958-8ed9-949f5c5ea8f6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_01

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static file information: File size 1189376 > 1048576

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x121000

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD8DEC push E801005Eh; retf
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04ADB200 pushfd ; retf
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD1FE7 push eax; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 0_2_04AD1FF8 push eax; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F569F8 pushad ; retf
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_04F569FA push esp; retf
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_0657A3F0 push ds; iretd
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Code function: 3_2_0657BE00 push es; retf

Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402
Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402
Source: initial sample	Static PE information: section name: .text entropy: 6.951369793482402

Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: \application form master sdpo brilinskiy new u.exe

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: C:\Users\user\AppData\Roaming\JLsbuY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

File opened: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2068, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 3996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 6048	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe TID: 6052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5336	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: threadDelayed 9216
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: foregroundWindowGot 440
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Window / User API: foregroundWindowGot 384

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.468982131.0000000007333000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000009.00000002.445842687.00000000012CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:m
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Code function: 3_2_065739C0 LdrInitializeThunk,

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Memory written: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Memory written: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Process created: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.578822012.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580163177.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595087597.000000000768E000.00000004.00000010.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592546991.000000000653D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595175494.000000000798E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593174195.0000000006A7E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager X

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3561550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5284629.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3e9b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea4c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3ea0614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b3f601.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.36d0a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b5fe62.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.3b4b835.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 3256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 4128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe PID: 5000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1276, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	21 Input Capture	21 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	31%	Virustotal		Browse
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\JLsbuY.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\JLsbuY.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.5280000.17.unpack	100%	Avira	TR/NanoCore.fadte		Download File
3.0.APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
godisgood1.hopto.org	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cnT	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnr-f	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comituF	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.tiro.comc	0%	URL Reputation	safe
godisgood1.hopto.org	14%	Virustotal		Browse
http://www.fontbureau.comFV	0%	Avira URL Cloud	safe
http://www.fonts.comibi	0%	Avira URL Cloud	safe
http://www.fontbureau.comepkoH	0%	Avira URL Cloud	safe
godisgood1.hopto.org	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cnsH	0%	Avira URL Cloud	safe
http://www.agfamonotype.~SBIm	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn#H4	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomFH	0%	Avira URL Cloud	safe
http://www.fontbureau.comdd	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/om	0%	Avira URL Cloud	safe
http://www.fonts.comS	0%	Avira URL Cloud	safe
185.225.73.164	100%	Avira URL Cloud	malware
http://www.urwpp.derT	0%	Avira URL Cloud	safe
http://www.urwpp.deJ(	0%	Avira URL Cloud	safe
http://www.fonts.comical	0%	Avira URL Cloud	safe
http://www.sandoll.co.krXH.	0%	Avira URL Cloud	safe
http://www.sandoll.co.krend	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnoH%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
godisgood1.hopto.org	37.139.129.71	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
godisgood1.hopto.org	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
185.225.73.164	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comFV	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnsH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comn-u	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnT	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.fontbureau.comepkoH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comiona	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303377395.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303559071.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303715113.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303820040.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303588332.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303452217.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303515704.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303774139.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303418482.0000000005533000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comibi	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.~SBIm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303762586.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303640331.0000000005532000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346550034.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.453978396.00000000031B5000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.455600928.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000A.00000002.480986509.0000000002974000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn#H4	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/om	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307564401.0000000005514000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnr-f	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312292131.000000000551A000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311387611.0000000005518000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.317352691.0000000005522000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.c	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304268623.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304202190.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdd	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomFH	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comS	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303685970.0000000005534000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.311980649.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303119536.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.derT	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comituF	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307654597.000000000551B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307572542.0000000005519000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307239153.0000000005514000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deJ(	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.313059366.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/frere-user.html	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comical	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303629841.000000000552B000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.303671777.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.312451749.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.krXH.	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.344604107.0000000005510000.00000004.00000800.00020000.00000000.sdmp, APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.365697319.000000000551A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.367334351.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.krend	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.306187785.0000000005519000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comc	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.304289380.000000000552B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnoH%	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000003.307170791.000000000554D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.139.129.71	godisgood1.hopto.org	Germany		10753	LVLT-10753US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	714049
Start date and time:	2022-10-01 12:41:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:42:11	API Interceptor	724x Sleep call for process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe modified
12:42:23	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" s>$(Arg0)
12:42:24	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
12:42:26	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
12:42:54	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189376
Entropy (8bit):	6.94809823392214
Encrypted:	false
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
MD5:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
SHA1:	1FB0C57D1EA566B703BE21A5DD2334166F5A918E
SHA-256:	F360431BC55CE6BBBD77F26A9BCB86B6267C3B82220D06EE4C67B44BE2273735
SHA-512:	18401E658D3D97A845D8ED05A750EB702337D9C4E1D25CCEDC5A6024BEB09CC333668C6F16A60E11523E79908DCD5D7D439A396724B9D5329D44648F6996FDC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@.....................................O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B........................H........Q..dq......B........k............................................(....&..(......s ........s!........s"........s#........s$...........0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0..<........~.....(.....,!r...p.....(+...o,...s-............~.....+...0...........~.....+.."........0..&........(....r#..p~....o....(/.....t$....+..*...0..&........(....r5..p~....o....(/.....

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.log

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp2889.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp2B48.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp63CD.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp690.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	5.131538419856332
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y8dxtn:cbk4oL600QydbQxIYODOLedq3odj
MD5:	B9DEE575F2B0ACDC2037D92C74DC29BB
SHA1:	037CA9A5B3612ADEB251AE4D780CD0D0C5053DCB
SHA-256:	8036080B940A7BD8C425649914CCBBA4A4DCF3AABA3023DFAD249BD89F36F4F7
SHA-512:	3970ADE224745201DC6C3FB65E57083B136C53088B212FF1F801388876BB7A3B744B777A1138673BC294614244BA564F39499C865F437221293085BBA334C4C4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.179579532436944
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGc6Ptn:cbhK79lNQR/rydbz9I3YODOLNdq3ho
MD5:	434B39DEA1D167EF66A3D88C5E1B052F
SHA1:	3850962A4E0064FC0568C51DFA5B7EA3A7859DDC
SHA-256:	8263E5BEE3F8FC17EF42C4A860499EA8F05D83C17FE7F6099846085B49D85279
SHA-512:	17429C9AAE656E636CD928FA5D4E5672C12458C740A292852E5D3F18AE4817ECFB85F9BA96376ED97455570EA22A0D2E02A846311D7E1D55D24E60A0D30F157B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpA4B.tmp

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:DCg:z
MD5:	5A6FF3DF7B2CB03AA295AE6A3C2728C6
SHA1:	656CE7D1794A14D6E749316CBD0BD00AA2DF9D8F
SHA-256:	08F3C75923C4CC4BD40D01FB1D98198307914B0841B9CBD4008F21E4BE5323A2
SHA-512:	D55DF6007CDE0465EB462FDE244FC7707D640179C42499CC20737402E2EE19D50CC12C875531977894F403478024E15EE086FA9ECBC5A827E9378BCC43C873EA
Malicious:	true
Preview:	.;g....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	data
Category:	modified
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.867861029749889
Encrypted:	false
SSDEEP:	3:oNt+WfWk1Q9PFB8j+nXIMLWA2LN:oNwvk1QRsj+nXxix
MD5:	2D2969AF6342D4C42632BBEA0FAAB3C1
SHA1:	533268FF8603A9705BDB38DB60CB2D795E754A30
SHA-256:	B2ACA0EE9C8564A59BF6F15F82FDD183486916F18F1E333243E285A8E9957F47
SHA-512:	4C0B9ED26CBD070D9542F258957F4436F0CEECD032D3A8582708B97DF53AB536AD664195C1AAA5D24EDD983ABFA135AD90C0535C99EDFC174274F5569CFDDDE5
Malicious:	false
Preview:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

C:\Users\user\AppData\Roaming\JLsbuY.exe

Download File

Process:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1189376
Entropy (8bit):	6.94809823392214
Encrypted:	false
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
MD5:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
SHA1:	1FB0C57D1EA566B703BE21A5DD2334166F5A918E
SHA-256:	F360431BC55CE6BBBD77F26A9BCB86B6267C3B82220D06EE4C67B44BE2273735
SHA-512:	18401E658D3D97A845D8ED05A750EB702337D9C4E1D25CCEDC5A6024BEB09CC333668C6F16A60E11523E79908DCD5D7D439A396724B9D5329D44648F6996FDC7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@.....................................O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B........................H........Q..dq......B........k............................................(....&..(......s ........s!........s"........s#........s$...........0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0..<........~.....(.....,!r...p.....(+...o,...s-............~.....+...0...........~.....+.."........0..&........(....r#..p~....o....(/.....t$....+..*...0..&........(....r5..p~....o....(/.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.94809823392214
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File size:	1189376
MD5:	c5ca6bf1a4d668abae8a1bd58da7fa89
SHA1:	1fb0c57d1ea566b703be21a5dd2334166f5a918e
SHA256:	f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735
SHA512:	18401e658d3d97a845d8ed05a750eb702337d9c4e1d25ccedc5a6024beb09cc333668c6f16a60e11523e79908dcd5d7d439a396724b9d5329d44648f6996fdc7
SSDEEP:	24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU
TLSH:	AA453A1425DA4B1EF07E8BF91BD4A4E54BFAE622A329E5FA3DE043850722F01CDC1576
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7c..............P............../... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x522f16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6337A6B5 [Sat Oct 1 02:32:21 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x122ec4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x124000	0x11c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x120f1c	0x121000	False	0.6100981293252595	data	6.951369793482402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x124000	0x11c8	0x1200	False	0.3919270833333333	data	5.051703971077691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x124090	0x30c	data
RT_MANIFEST	0x1243ac	0xe15	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
37.139.129.71192.168.2.47712496982841753 10/01/22-12:42:35.121312	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	7712	49698	37.139.129.71	192.168.2.4
192.168.2.437.139.129.714969877122025019 10/01/22-12:42:30.424505	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	7712	192.168.2.4	37.139.129.71
192.168.2.437.139.129.714969877122816766 10/01/22-12:42:35.951752	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49698	7712	192.168.2.4	37.139.129.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2022 12:42:30.048540115 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.076286077 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.076489925 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.424504995 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.472449064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.546344995 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.588115931 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.755649090 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.817027092 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.916877985 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.944308996 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.950195074 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950231075 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950248957 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950268984 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.950289011 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.950340033 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979064941 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979098082 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979115009 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979135990 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979155064 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979173899 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979190111 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979191065 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979211092 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:30.979238033 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:30.979262114 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.006762028 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006822109 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006844997 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006867886 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006910086 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006932974 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006952047 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.006956100 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.006979942 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007011890 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007013083 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007030964 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007036924 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007062912 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007081032 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007086992 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007117033 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007127047 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.007141113 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007163048 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.007180929 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034719944 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034754038 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034774065 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034780979 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034794092 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034815073 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034821987 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034836054 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034854889 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034854889 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034888029 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034893036 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034914017 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034933090 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034945011 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034950972 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034970045 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.034981012 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.034990072 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035008907 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035027027 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035031080 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035058022 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035059929 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035080910 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035098076 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035113096 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035115957 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035135984 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035150051 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035155058 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035173893 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035188913 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035192966 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035211086 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035223007 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035229921 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035248995 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035268068 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.035273075 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.035300016 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063040972 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063081980 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063107967 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063133001 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063141108 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063160896 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063178062 CEST	49698	7712	192.168.2.4	37.139.129.71
Oct 1, 2022 12:42:31.063193083 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063220024 CEST	7712	49698	37.139.129.71	192.168.2.4
Oct 1, 2022 12:42:31.063230038 CEST	49698	7712	192.168.2.4	37.139.129.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2022 12:42:30.000255108 CEST	56572	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:30.021872997 CEST	53	56572	8.8.8.8	192.168.2.4
Oct 1, 2022 12:42:43.918507099 CEST	50911	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:43.938385010 CEST	53	50911	8.8.8.8	192.168.2.4
Oct 1, 2022 12:42:47.465024948 CEST	59683	53	192.168.2.4	8.8.8.8
Oct 1, 2022 12:42:47.486771107 CEST	53	59683	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2022 12:42:30.000255108 CEST	192.168.2.4	8.8.8.8	0xa928	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:43.918507099 CEST	192.168.2.4	8.8.8.8	0xa723	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:47.465024948 CEST	192.168.2.4	8.8.8.8	0x2be2	Standard query (0)	godisgood1.hopto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 1, 2022 12:42:30.021872997 CEST	8.8.8.8	192.168.2.4	0xa928	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:43.938385010 CEST	8.8.8.8	192.168.2.4	0xa723	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false
Oct 1, 2022 12:42:47.486771107 CEST	8.8.8.8	192.168.2.4	0x2be2	No error (0)	godisgood1.hopto.org	37.139.129.71	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:41:58
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe"
Imagebase:	0x110000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.351210930.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 1592, Parent PID: 3256

General

Target ID:	1
Start time:	12:42:18
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp8832.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2188, Parent PID: 1592

General

Target ID:	2
Start time:	12:42:18
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exePID: 4128, Parent PID: 3256

General

Target ID:	3
Start time:	12:42:19
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x530000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594469574.00000000072C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590108854.0000000005280000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594928792.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000000.343643595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.589979363.0000000005050000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5176, Parent PID: 4128

General

Target ID:	4
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp690.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5000, Parent PID: 5176

General

Target ID:	5
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exePID: 3260, Parent PID: 1088

General

Target ID:	6
Start time:	12:42:23
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe" 0
Imagebase:	0xcf0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: schtasks.exePID: 2264, Parent PID: 4128

General

Target ID:	7
Start time:	12:42:24
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpA4B.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 6052, Parent PID: 2264

General

Target ID:	8
Start time:	12:42:25
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exePID: 1680, Parent PID: 1088

General

Target ID:	9
Start time:	12:42:26
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x9a0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exePID: 2068, Parent PID: 3528

General

Target ID:	10
Start time:	12:42:34
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x4b0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: schtasks.exePID: 3736, Parent PID: 3260

General

Target ID:	13
Start time:	12:43:00
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2889.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 920, Parent PID: 1680

General

Target ID:	14
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B48.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4748, Parent PID: 3736

General

Target ID:	15
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2220, Parent PID: 920

General

Target ID:	16
Start time:	12:43:01
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exePID: 5000, Parent PID: 3260

General

Target ID:	17
Start time:	12:43:02
Start date:	01/10/2022
Path:	C:\Users\user\Desktop\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9c0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 1276, Parent PID: 1680

General

Target ID:	18
Start time:	12:43:02
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xce0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000012.00000002.502379246.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: schtasks.exePID: 5716, Parent PID: 2068

General

Target ID:	19
Start time:	12:43:15
Start date:	01/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\user\AppData\Local\Temp\tmp63CD.tmp
Imagebase:	0x10a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4616, Parent PID: 5716

General

Target ID:	20
Start time:	12:43:16
Start date:	01/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 2760, Parent PID: 2068

General

Target ID:	21
Start time:	12:43:18
Start date:	01/10/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x4f0000
File size:	1189376 bytes
MD5 hash:	C5CA6BF1A4D668ABAE8A1BD58DA7FA89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Disassembly

⊘No disassembly

Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000000.299314738.0000000000234000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.345324035.000000000092B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.380264249.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.380457215.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.346938414.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000000.00000002.352245428.00000000035EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594571838.00000000072D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593893494.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.595033114.000000000731E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590737920.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581612836.0000000003A90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593817105.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000003.376885871.0000000006301000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.591435010.00000000060B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.581179879.0000000003A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.574094218.0000000002A5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594220234.00000000072A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.584965011.0000000003CAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.590874533.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594823559.00000000072F8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593962047.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594532217.00000000072C8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.594066194.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.592602875.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.593436718.0000000006E80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.572765724.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000003.00000002.580783944.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.457454682.00000000043BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000006.00000002.441282649.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.500556457.0000000003E59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe, 00000011.00000002.497822993.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Source: APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	Binary or memory string: OriginalFilenamenRlQOE1.exe. vs APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmp2889.tmp

C:\Users\user\AppData\Local\Temp\tmp2B48.tmp

C:\Users\user\AppData\Local\Temp\tmp63CD.tmp

C:\Users\user\AppData\Local\Temp\tmp690.tmp

C:\Users\user\AppData\Local\Temp\tmp8832.tmp

Windows Analysis Report
APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre