Loading ...

Play interactive tourEdit tour

Analysis Report DINTEC PO.exe

Overview

General Information

Sample Name:DINTEC PO.exe
Analysis ID:339185
MD5:f1d00b68162820d29eb884a91b9e6a09
SHA1:406621cc2e30d19645513296fe1c5f50dd6c3848
SHA256:29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DINTEC PO.exe (PID: 4584 cmdline: 'C:\Users\user\Desktop\DINTEC PO.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
    • a.exe (PID: 6040 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
  • a.exe (PID: 6896 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: F1D00B68162820D29EB884A91B9E6A09)
    • InstallUtil.exe (PID: 6676 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 4904 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x20f2:$a: NanoCore
  • 0x2117:$a: NanoCore
  • 0x2170:$a: NanoCore
  • 0x1230d:$a: NanoCore
  • 0x12333:$a: NanoCore
  • 0x1238f:$a: NanoCore
  • 0x1f1e4:$a: NanoCore
  • 0x1f23d:$a: NanoCore
  • 0x1f270:$a: NanoCore
  • 0x1f49c:$a: NanoCore
  • 0x1f518:$a: NanoCore
  • 0x1fb31:$a: NanoCore
  • 0x1fc7a:$a: NanoCore
  • 0x2014e:$a: NanoCore
  • 0x20435:$a: NanoCore
  • 0x2044c:$a: NanoCore
  • 0x259ea:$a: NanoCore
  • 0x25a64:$a: NanoCore
  • 0x2a601:$a: NanoCore
  • 0x2b9bb:$a: NanoCore
  • 0x2ba05:$a: NanoCore
00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x10ef7:$x1: NanoCore.ClientPluginHost
  • 0x43aa5:$x1: NanoCore.ClientPluginHost
  • 0x10f34:$x2: IClientNetworkHost
  • 0x43ae2:$x2: IClientNetworkHost
  • 0x14a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10c5f:$a: NanoCore
    • 0x10c6f:$a: NanoCore
    • 0x10ea3:$a: NanoCore
    • 0x10eb7:$a: NanoCore
    • 0x10ef7:$a: NanoCore
    • 0x4380d:$a: NanoCore
    • 0x4381d:$a: NanoCore
    • 0x43a51:$a: NanoCore
    • 0x43a65:$a: NanoCore
    • 0x43aa5:$a: NanoCore
    • 0x10cbe:$b: ClientPlugin
    • 0x10ec0:$b: ClientPlugin
    • 0x10f00:$b: ClientPlugin
    • 0x4386c:$b: ClientPlugin
    • 0x43a6e:$b: ClientPlugin
    • 0x43aae:$b: ClientPlugin
    • 0x10de5:$c: ProjectData
    • 0x43993:$c: ProjectData
    • 0x117ec:$d: DESCrypto
    • 0x4439a:$d: DESCrypto
    • 0x191b8:$e: KeepAlive
    00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10ef7:$x1: NanoCore.ClientPluginHost
    • 0x43aa5:$x1: NanoCore.ClientPluginHost
    • 0x10f34:$x2: IClientNetworkHost
    • 0x43ae2:$x2: IClientNetworkHost
    • 0x14a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x47615:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 19 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY
    Source: DINTEC PO.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: DINTEC PO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then jmp 0146EB76h0_2_0146E3A0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp0_2_01468DC0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp0_2_01468DB1
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_055BD1EA
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_055BA5B8
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_055B5410
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_055B60EC
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_055B4095
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_055B4095
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_055B40A0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_055B40A0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_055B533C
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_055B32C0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_055B3D75
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_055B3D75
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov esp, ebp0_2_055BBDD8
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_055B3D80
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_055B3D80
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then xor edx, edx0_2_055B3FD8
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then xor edx, edx0_2_055B3FCC
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_055B389D
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then jmp 024AEB76h2_2_024AE3A0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp2_2_024A8DC0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp2_2_024A8DB1
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp5_2_02608DC0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov esp, ebp5_2_02608DB1

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: mnvh54254.ddns.net
    Source: global trafficTCP traffic: 192.168.2.4:49741 -> 95.181.155.123:6653
    Source: Joe Sandbox ViewASN Name: MSKHOSTRU MSKHOSTRU
    Source: unknownDNS traffic detected: queries for: mnvh54254.ddns.net
    Source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmp, a.exe, 00000002.00000002.1048821973.0000000000BD9000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp
    Source: DINTEC PO.exe, 00000000.00000003.714561873.0000000001729000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/Ident

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: a.exe PID: 6896, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B583838 CreateProcessAsUserW,2_2_0B583838
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146B1700_2_0146B170
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146E3A00_2_0146E3A0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_014604480_2_01460448
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_014634F80_2_014634F8
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146EBA00_2_0146EBA0
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01469A3F0_2_01469A3F
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01466D380_2_01466D38
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01463C600_2_01463C60
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146CC300_2_0146CC30
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_01468F4A0_2_01468F4A
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_014604410_2_01460441
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146F6480_2_0146F648
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_0146EB900_2_0146EB90
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BAD380_2_055BAD38
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BAD2A0_2_055BAD2A
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4DFA0_2_055B4DFA
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B4E080_2_055B4E08
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B48580_2_055B4858
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BB8490_2_055BB849
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055B48470_2_055B4847
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A9A3F2_2_024A9A3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AEBA02_2_024AEBA0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AE3A02_2_024AE3A0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AB1702_2_024AB170
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A8F4B2_2_024A8F4B
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A04482_2_024A0448
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A6C102_2_024A6C10
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024ACC302_2_024ACC30
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A34F82_2_024A34F8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AEB902_2_024AEB90
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024AF6482_2_024AF648
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_024A04382_2_024A0438
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5807702_2_0B580770
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B584E782_2_0B584E78
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5826182_2_0B582618
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5800402_2_0B580040
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5807602_2_0B580760
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B584E692_2_0B584E69
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5826072_2_0B582607
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B585A982_2_0B585A98
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B581D502_2_0B581D50
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B581D3F2_2_0B581D3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B583D202_2_0B583D20
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5800062_2_0B580006
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5818D82_2_0B5818D8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5818C92_2_0B5818C9
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 2_2_0B5830A02_2_0B5830A0
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02609A425_2_02609A42
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260B1705_2_0260B170
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02608F575_2_02608F57
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02603C615_2_02603C61
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_026004485_2_02600448
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260CC3F5_2_0260CC3F
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_026034F85_2_026034F8
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260B1815_2_0260B181
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_026004385_2_02600438
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_008A20B011_2_008A20B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_010F07D811_2_010F07D8
    Source: DINTEC PO.exeBinary or memory string: OriginalFilename vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.720031386.00000000054F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.721423524.0000000008415000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722399909.0000000008FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.722132752.0000000008EF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DINTEC PO.exe
    Source: DINTEC PO.exe, 00000000.00000002.720559556.0000000005660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DINTEC PO.exe
    Source: DINTEC PO.exeBinary or memory string: OriginalFilenamePO ALCA.exeH vs DINTEC PO.exe
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: DINTEC PO.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055562426.00000000041EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.717848221.00000000049AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055335478.0000000004059000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.1055038371.0000000003711000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.717510555.0000000004819000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: InstallUtil.exe PID: 6676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: a.exe PID: 6896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/13@2/1
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ffdfcbd2-3989-4236-a47d-b9533fb19ad2}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: DINTEC PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\DINTEC PO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile read: C:\Users\user\Desktop\DINTEC PO.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\DINTEC PO.exe 'C:\Users\user\Desktop\DINTEC PO.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: DINTEC PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: DINTEC PO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: System.pdbM source: InstallUtil.exe, 00000004.00000003.904681464.0000000001078000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.749350988.00000000008A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000003.724638869.0000000001031000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.4.dr
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000004.00000003.901015469.0000000004838000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\DINTEC PO.exeCode function: 0_2_055BD340 pushfd ; ret 0_2_055BD349
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_02606976 push 0000003Bh; ret 5_2_0260697D
    Source: C:\Users\user\AppData\Roaming\a.exeCode function: 5_2_0260694A push 0000003Bh; ret 5_2_0260694F
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened: C:\Users\user\Desktop\DINTEC PO.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: DINTEC PO.exe PID: 4584, type: MEMORY
    Source: C:\Users\user\Desktop\DINTEC PO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 3849Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 5664Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 701Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 626Jump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6724Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6736Thread sleep count: 196 > 30Jump to behavior
    Source: C:\Users\user\Desktop\DINTEC PO.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992Thread sleep count: 261 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6992Thread sleep time: -261000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444Thread sleep count: 53 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 1444Thread sleep count: 122 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712Thread sleep count: 349 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 5712Thread sleep time: -349000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3976Thread sleep time: -13835058055282155s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6752Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmware svga
    Source: DINTEC PO.exe, 00000000.00000002.721497047.0000000008560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: a.exe, 00000005.00000002.721055726.0000000003771000.00000004.00000001.sdmpBinary or memory string: vmware